Collect Microsoft 365 logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Microsoft 365 logs by setting up a Google Security Operations feed and how log fields map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported audited activities and supported Microsoft 365 version.

For an overview about data ingestion to Google Security Operations, see Data ingestion to Google Security Operations.

Overview

The following deployment architecture diagram shows how Microsoft 365 and Google Security Operations feed is configured to send logs to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

Deployment architecture

The architecture diagram shows the following components:

Microsoft 365. The Microsoft 365 service from which you collect logs.
Google Security Operations feed. The Google Security Operations feed that fetches logs from Microsoft 365 and writes logs to Google Security Operations.
Google Security Operations. Google Security Operations retains and analyzes the logs from Microsoft 365.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OFFICE_365 ingestion label.

Before you begin

Use Microsoft 365 version 2204 Build 16.0.15128.20248 or later and verify that you have a Microsoft 365 Enterprise E5 subscription with Microsoft Security and Compliance Center feature.
Grant the required privileges and permissions to the user to generate and export different events for all the supported Microsoft products. A user whose credentials are used to authenticate against the API must have the ActivityFeed.Read permission. To ingest DLP data, the ActivityFeed.ReadDlp permission is required. For information about permissions, see Permissions to access management APIs
Configure Microsoft 365 to search and export logs. Microsoft Azure Active Directory (Azure AD) is the directory service for Microsoft 365. It takes up to 24 hours to generate the logs. For more information, see Search the audit log
Ensure that all systems in the deployment architecture are configured in the UTC time zone.

Review the activities and products that the Google Security Operations parser supports. The following table list the activities and products that the Google Security Operations parser supports:

Activities	Products
File and page activities	SharePoint Online and OneDrive for Business
Folder activities	SharePoint Online and OneDrive for Business
SharePoint list activities	SharePoint Online
Sharing and access request activities	SharePoint Online and OneDrive for Business
Synchronization activities	SharePoint Online and OneDrive for Business
Site permissions activities	SharePoint Online
Site administration activities	SharePoint Online
Exchange mailbox activities	Microsoft 365 Group mailboxes
User administration activities	Microsoft 365 admin center
Azure AD group administration activities	Microsoft 365 admin center
Application administration activities	When an administrator adds or changes an application that is registered in Azure AD
Role administration activities	Microsoft 365 admin center
Directory administration activities	Microsoft 365 admin center
Power BI activities	Power BI
Microsoft Teams activities	Microsoft Teams
Microsoft Teams Shifts activities	Shifts app in Microsoft Teams
Microsoft Teams Healthcare activities	Patients application in Microsoft Teams
Microsoft Teams Shifts activities	Shifts app in Microsoft Teams
Yammer activities	Yammer
Microsoft Power Automate activities	Power Automate (formerly called Microsoft Flow)
Microsoft PowerApps activities	Power Apps
Microsoft Stream activities	Microsoft Stream
Quarantine activities	Quarantine email messages in Office 365
Microsoft Forms activities	Microsoft Teams
Sensitivity label activities	Labeling activities for SharePoint Online and Teams
Retention policy and retention label activities	NA
Briefing email activities	Briefing email
MyAnalytics activities	MyAnalytics
Information barriers activities	NA
Disposition review activities	NA
Communication compliance activities	NA
Undefined Activity	NA

Configure a feed in Google Security Operations to ingest Microsoft 365 logs

Go to Google Security Operations settings, and click Feeds.
Click Add New.
Select Third party API for Source Type.
Select Office 365 for Log Type.
Click Next.
Based on the Microsoft 365 configuration, specify the OAuth client ID, OAuth client secret, and Tenant ID details.
Select the Content type for which you are creating this feed. You must create a separate feed for each content type that you require.
Click Next and then Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft 365 log fields to Google Security Operations Unified Data Model (UDM) fields for the supported operations and workloads.

Common fields

The following table lists the common log fields and their corresponding UDM fields.

Common log field	UDM field
ID	`metadata.product_log_id`
RecordType	security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc
CreationTime	`metadata.event_timestamp`
Operation	`metadata.product_event_type`
OrganizationId	`principal.resource.product_object_id`
UserType	`principal.user.attribute.roles.name`
UserId	principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.
ClientIP	principal.ip and principal.port
Workload	`target.application`
AppAccessContext	network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value

For reference information about UDM mappings for supported operations, refer to the following sections:

FileAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "Fileaccessed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
FileSizeBytes	`target.file.size`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileAccessedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileAccessedExtended" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeleted" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FileCopied" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileModified

The following table lists the log fields and corresponding UDM mappings for the operation "FileModified" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
FileSizeBytes	`target.file.size`
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`

FileDownloaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloaded" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
UserSessionId	`network.http.session_id`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
ZipFileName	`principal.resource.parent`

FileModifiedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileModifiedExtended" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
FileSizeBytes	`target.file.size`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`

FileMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FileMoved" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FilePreviewed

The following table lists the log fields and corresponding UDM mappings for the operation "FilePreviewed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`

FileUploaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileUploaded" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
ImplicitShare	`target.resource.attribute.labels.key/value`

FileVersionsAllDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllDeleted" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

FileCheckedIn

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedIn" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	workload map with intermediary.application
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedOut" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	Uniquely Identify resource in site like File or Folder
ItemType	This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	Information about the user's browser. This information is provided by the browser.
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

ComplianceSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSettingChanged" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`

LockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "LockRecord" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

UnlockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "UnlockRecord" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

RecordDelete

The following table lists the log fields and corresponding UDM mappings for the operation "RecordDelete" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileCheckOutDiscarded

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckOutDiscarded" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileVersionsAllMinorsRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllMinorsRecycled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileVersionsAllRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllRecycled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileVersionRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionRecycled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FileRestored" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileMalwareDetected

The following table lists the log fields and corresponding UDM mappings for the operation "FileMalwareDetected" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
VirusInfo	`security_result.threat_name`
VirusVendor	`target.labels.key/value` (deprecated)
VirusVendor	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

SearchQueryPerformed

The following table lists the log fields and corresponding UDM mappings for the operation "SearchQueryPerformed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SearchQueryText	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
EventData	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

PageViewed

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

PagePrefetched

The following table lists the log fields and corresponding UDM mappings for the operation "PagePrefetched" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

ClientViewSignaled

The following table lists the log fields and corresponding UDM mappings for the operation "ClientViewSignaled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

PageViewedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewedExtended" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

FolderCreated

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeleted" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FolderMoved" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} SourceRelativeUrl field not getting in log
DestinationRelativeUrl	DestinationRelativeUrl field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	DestinationFileName field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRenamed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderModified

The following table lists the log fields and corresponding UDM mappings for the operation "FolderModified" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCopied" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	`src.file.full_path`
SourceRelativeUrl	`src.file.full_path`
DestinationRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRestored" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FolderDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileSyncDownloadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedFull" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
FileSyncBytesCommitted	`src.file.size`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileSyncDownloadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedPartial" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to src.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
FileSyncBytesCommitted	`src.file.size`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileSyncUploadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedFull" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
FileSyncBytesCommitted	`target.file.size`
ImplicitShare	`target.resource.attribute.labels.key/value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

FileSyncUploadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedPartial" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
FileSizeBytes	`target.file.size`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
FileSyncBytesCommitted	`target.file.size`
ImplicitShare	`target.resource.attribute.labels.key/value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

ManagedSyncClientAllowed

The following table lists the log fields and corresponding UDM mappings for the operation "ManagedSyncClientAllowed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_WRITTEN
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

UnmanagedSyncClientBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "UnmanagedSyncClientBlocked" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

AddedToGroup

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToGroup" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	`target.group.group_display_name`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

GroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "GroupAdded" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is mapped to target.url
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

GroupRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "GroupRemoved" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

WebRequestAccessModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebRequestAccessModified" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ModifiedProperties	If the `Name` log field value is equal to `RequestAccessEmail`, then the `NewValue` log field is mapped to the `target.user.email_addresses` or `target.user.userid` UDM field. Else, the `NewValue` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
ItemType	`target.resource.attribute.labels.key/value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

WebMembersCanShareModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebMembersCanShareModified" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
version	`metadata.product_version`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

PermissionLevelModified

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelModified" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ModifiedProperties	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name
version	`metadata.product_version`
WebID	`about.labels.key/value` (deprecated)
WebID	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

SiteCollectionAdminAdded

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminAdded" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

SiteCollectionAdminRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminRemoved" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId	`about.labels.key/value` (deprecated)
AssertingApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

PermissionLevelRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelRemoved" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	`target.resource.attribute.permissions.name`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

RemovedFromGroup

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromGroup" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	`target.group.group_display_name`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

GroupUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "GroupUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.referral_url`
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

ProjectCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectCheckedOut" and workload "Project":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
CorrelationId	`security_result.detection_fields.key/value`
Entity	`metadata.product_name`
Version	`metadata.product_version`
Action	`security_result.description`
OnBehalfOfResId	`about.labels.key/value` (deprecated)
OnBehalfOfResId	`additional.fields.key` and `additional.fields.value.string_value`

ProjectAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectAccessed" and workload "Project":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
CorrelationId	`security_result.detection_fields.key/value`
Entity	`metadata.product_name`
Version	`metadata.product_version`
Action	`security_result.description`
OnBehalfOfResId	`about.labels.key/value` (deprecated)
OnBehalfOfResId	`additional.fields.key` and `additional.fields.value.string_value`

SharingInheritanceBroken

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInheritanceBroken" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`

AddedToSecureLink

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToSecureLink" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	`security_result.detection_fields.key/value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ApplicationDisplayName	`target.application`

CompanyLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`

CompanyLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkUsed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

SecureLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`

SharingInvitationCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`

SecureLinkDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkDeleted" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
ApplicationDisplayName	`target.application`

RemovedFromSecureLink

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSecureLink" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`

SharingInvitationRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationRevoked" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`

SecureLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`

SecureLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUsed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

SharingRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingRevoked" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

SharingSet

The following table lists the log fields and corresponding UDM mappings for the operation "SharingSet" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelAdded" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationAccepted" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.name Added to Group is mapped to target.resource.name

SharingInvitationBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationBlocked" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	security_result.summary Reason is mapped to security_result.summary

AccessRequestCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkCreated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`

AccessRequestUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestUpdated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`

CompanyLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value

AccessRequestApproved

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestApproved" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.name Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } }
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`

AnonymousLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	`target.resource.attribute.labels.key/value`
SourceFileExtension	`target.file.mime_type`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	network.http.referral_url Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
MachineId	`target.asset.product_object_id`

AnonymousLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
ApplicationDisplayName	`target.application`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
UniqueSharingId	`target.labels.key/value` (deprecated)
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationUpdated" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
ApplicationDisplayName	`target.application`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
	event_type is mapped to USER_RESOURCE_ACCESS
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	`target.application`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

AnonymousLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUsed" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add group

The following table lists the log fields and corresponding UDM mappings for the operation "Add group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add member to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add member to group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_CREATION`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add user

The following table lists the log fields and corresponding UDM mappings for the operation Add user and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `Is HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
Target	`target.user.userid or target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Change user license.

The following table lists the log fields and corresponding UDM mappings for the operation "Change user license." and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Change user password

The following table lists the log fields and corresponding UDM mappings for the operation "Change user password" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Delete group

The following table lists the log fields and corresponding UDM mappings for the operation "Delete group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove member from group

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION if status is Success then action ALLOW security_result.summary User deleted successfully
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Delete user

The following table lists the log fields and corresponding UDM mappings for the operation Delete user and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED` `ResultStatus` is `Success` `Action` is set to `ALLOW` `security_result.summary` is `User updated successfully` `ResultStatus` is `Failure` `Action` is set to `BLOCK` `security_result.summary` is `User update failed`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Update user

The following table lists the log fields and corresponding UDM mappings for the operation Update user and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type is mapped to GROUP_MODIFICATION` if `ObjectId` not contain (empty) or `Not Available` then `ObjectId` is set to `target.group.product_object_id`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
`ModifiedProperties`	`security_result.detection_fields.key/value` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value` If the `Name` log field value is equal to `TargetId.UserType`, then the `NewValue` and `Oldvalue` log fields are mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields. If `Name` is `StrongAuthenticationPhoneAppDetail` then from `NewValue`, `DeviceName` is mapped to `target.asset.hostname`, `PhoneAppVersion` is mapped to `target.asset.software.version`, `DeviceId` is mapped to `target.asset.asset_id`, `Id` is mapped to `target.asset.product_object_id`, `DeviceToken` is mapped to `target.asset.attribute.labels.key/value`, `DeviceTag` is mapped to `target.asset.attribute.labels.key/value`, `OathTokenTimeDrift` is mapped to `security_result.detection_fields.key/value`, `TimeInterval` is mapped to `security_result.detection_fields.key/value`, `AuthenticationType` is mapped to `security_result.detection_fields.key/value`, `NotificationType` is mapped to `target.asset.attribute.labels.key/value`, `LastAuthenticatedTimestamp` is mapped to `security_result.detection_fields.key/value`, `AuthenticatorFlavor` is mapped to `security_result.detection_fields.key/value`, `HashFunction` is mapped to `security_result.detection_fields.key/value`, `TenantDeviceId` is mapped to `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value`, `SecuredPartitionId` is mapped to `security_result.detection_fields.key/value`, `SecuredKeyId` is mapped to `security_result.detection_fields.key/value`. If `Name` is `StrongAuthenticationPhoneAppDetail` then from `OldValue`, `DeviceName` is mapped to `about.asset.hostname`, `PhoneAppVersion` is mapped to `about.asset.software.version`, `DeviceId` is mapped to `about.asset.asset_id`, `Id` is mapped to `about.asset.product_object_id`, `DeviceToken` is mapped to `about.asset.attribute.labels.key/value`, `DeviceTag` is mapped to `about.asset.attribute.labels.key/value`, `OathTokenTimeDrift` is mapped to `security_result.detection_fields.key/value`, `TimeInterval` is mapped to `security_result.detection_fields.key/value`, `AuthenticationType` is mapped to `security_result.detection_fields.key/value`, `NotificationType` is mapped to `about.asset.attribute.labels.key/value`, `LastAuthenticatedTimestamp` is mapped to `security_result.detection_fields.key/value`, `AuthenticatorFlavor` is mapped to `security_result.detection_fields.key/value`, `HashFunction` is mapped to `security_result.detection_fields.key/value`, `TenantDeviceId` is mapped to `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value`, `SecuredPartitionId` is mapped to `security_result.detection_fields.key`, `SecuredKeyId` is mapped to `security_result.detection_fields.key`. If `Name` is `StrongAuthenticationUserDetails` and `NewValue` contains a JSON object then from `NewValue`, `Email` is mapped to `target.user.email_addresses`, `PhoneNumber` is mapped to `target.user.phone_numbers`, `AlternativePhoneNumber` is mapped to `target.user.phone_numbers`, `VoiceOnlyPhoneNumber` is mapped to `target.user.phone_numbers`. If `Name` is `StrongAuthenticationUserDetails` and `NewValue` does not contain a JSON object then `security_result.detection_fields.key` is set to `StrongAuthenticationUserDetails_NewValue` and `NewValue` is mapped to `security_result.detection_fields.value`. If `Name` is `StrongAuthenticationUserDetails` and `OldValue` contains a JSON object then from `OldValue`, `Email` is mapped to `target.user.email_addresses`, `PhoneNumber` is mapped to `target.user.phone_numbers`, `AlternativePhoneNumber` is mapped to `target.user.phone_numbers`, `VoiceOnlyPhoneNumber` is mapped to `target.user.phone_numbers`. If `Name` is `StrongAuthenticationUserDetails` and `OldValue` does not contain a JSON object then `security_result.detection_fields.key` is set to `StrongAuthenticationUserDetails_OldValue` and `OldValue` is mapped to `security_result.detection_fields.value`. If `Name` is `StrongAuthenticationMethod` and `NewValue` contains a JSON object then the `StrongAuthenticationMethod_NewValue_{NewValue.key}` log field is mapped to `security_result.detection_fields.key` and `NewValue.value` is mapped to `security_result.detection_fields.value`. If `Name` is `StrongAuthenticationMethod` and `NewValue` does not contain a JSON object then `security_result.detection_fields.key` is set to `StrongAuthenticationMethod_NewValue` and `NewValue` is mapped to `security_result.detection_fields.value`. If `Name` is `StrongAuthenticationMethod` and `OldValue` contains a JSON object then the `StrongAuthenticationMethod_OldValue_{OldValue.key}` log field is mapped to `security_result.detection_fields.key` and `OldValue.value` is mapped to `security_result.detection_fields.value`. If `Name` is `StrongAuthenticationMethod` and `OldValue` does not contain a JSON object then `security_result.detection_fields.key` is set to `StrongAuthenticationMethod_OldValue` and `OldValue` is mapped to `security_result.detection_fields.value`.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	`principal.ip` and `principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.group.group_display_name` `target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 1 then `ID` is mapped to `target.group.group_display_name` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Update group

The following table lists the log fields and corresponding UDM mappings for the operation "Update group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload}
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	`security_result.description`

UserLoggedIn

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoggedIn" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN security_result.Action is set to BLOCK security_result.summary is User login failed
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
Actor	`security_result.detection_fields.key/value`
ResultStatusDetail	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX `Value` is mapped to `principal.platform_version` } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoginFailed" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
ResultStatusDetail	`security_result.detection_fields.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Update StsRefreshTokenValidFrom Timestamp

The following table lists the log fields and corresponding UDM mappings for the operation "Update StsRefreshTokenValidFrom Timestamp" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `targetObjectId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Update device

The following table lists the log fields and corresponding UDM mappings for the operation "Update device" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Set federation settings on domain

The following table lists the log fields and corresponding UDM mappings for the operation "Set federation settings on domain" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Verify domain

The following table lists the log fields and corresponding UDM mappings for the operation "Verify domain" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Set Company Information

The following table lists the log fields and corresponding UDM mappings for the operation "Set Company Information" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Reset user password

The following table lists the log fields and corresponding UDM mappings for the operation "Reset user password" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `security_result.description` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, if `Name` log field value is equal to `AccountEnabled` then AccountEnabled - `NewValue` is mapped to `security_result.description` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Disable account

The following table lists the log fields and corresponding UDM mappings for the operation "Disable account" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Delete application password for user

The following table lists the log fields and corresponding UDM mappings for the operation "Delete application password for user" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Delete device

The following table lists the log fields and corresponding UDM mappings for the operation "Delete device" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `targetObjectId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add registered users to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered users to device" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add registered owner to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered owner to device" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add owner to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add OAuth2PermissionGrant

The following table lists the log fields and corresponding UDM mappings for the operation "Add OAuth2PermissionGrant" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add device

The following table lists the log fields and corresponding UDM mappings for the operation "Add device" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add app role assignment grant to user

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment grant to user" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSION Workload is mapped to intermediary.application
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.user.userid or target.user.email_addresses If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Consent to application

The following table lists the log fields and corresponding UDM mappings for the operation "Consent to application" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Update service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Update service principal" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add member to role

The following table lists the log fields and corresponding UDM mappings for the operation Add member to role and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED` `ResultStatus` is `Success` then `Action` is set to `ALLOW` `security_result.summary` is set to `Added a user to an admin role successfully` `ResultStatus` is `Failure` then `Action` is set to `BLOCK` `security_result.summary` is set to `Added a user to an admin role failed` `ObjectId` is mapped to `target.url`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`target.resource.product_object_id` `target.resource.attribute.roles.name` `target.resource.attribute.labels.key/value` if `Name` is `Role.ObjectId` then `NewValue` is `target.resource.product_object_id` If `Name` is `Role.DisplayName` then `NewValue` is `target.user.attribute.roles.name` if `Name` is `Role.TemplateId` then `NewValue` and `OldValue` is `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	`principal.ip` and `principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove member from role

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from role" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
	event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add label

The following table lists the log fields and corresponding UDM mappings for the operation "Add label" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is set to target.resource.product_object_id
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Create company

The following table lists the log fields and corresponding UDM mappings for the operation "Create company" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION ObjectId is set to target.resource.product_object_id
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	`target.labels.key/value` (deprecated)
TeamGuid	`additional.fields.key` and `additional.fields.value.string_value`
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`

TeamsSessionStarted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsSessionStarted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ScheduleGroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ScheduleGroupEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupEdited" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_DELETION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ScheduleGroupDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

ShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

ShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftEdited" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

ShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

TimeOffAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

TimeOffEdited

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffEdited" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
Shift	`target.resource.attribute.labels.value`

TimeOffDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
OpenShift	`target.resource.attribute.labels.key/value`

OpenShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
OpenShift	`target.resource.attribute.labels.key/value`

OpenShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftEdited" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
OpenShift	`target.resource.attribute.labels.key/value`

OpenShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ScheduleShared

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleShared" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ClockedIn

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedIn" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

BreakStarted

The following table lists the log fields and corresponding UDM mappings for the operation "BreakStarted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

BreakEnded

The following table lists the log fields and corresponding UDM mappings for the operation "BreakEnded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
ShiftRequest	`target.resource.attribute.labels.key/value`

RequestAdded

The following table lists the log fields and corresponding UDM mappings for the operation "RequestAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
ShiftRequest	`target.resource.attribute.label.key/value`

RequestRespondedTo

The following table lists the log fields and corresponding UDM mappings for the operation "RequestRespondedTo" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`
ShiftRequest	`target.resource.attribute.label.key/value`

RequestCancelled

The following table lists the log fields and corresponding UDM mappings for the operation "RequestCancelled" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
ScheduleId	`target.resource.product_object_id`

ScheduleSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleSettingChanged" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`

TeamSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamSettingChanged" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`

AppInstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppInstalled" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	`target.resource.product_object_id`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.resource.name`
Version	`metadata.product_version`
AppDistributionMode	`about.labels.key/value` (deprecated)
AppDistributionMode	`additional.fields.key` and `additional.fields.value.string_value`
AzureADAppId	`about.labels.key/value` (deprecated)
AzureADAppId	`additional.fields.key` and `additional.fields.value.string_value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.product_object_id`

MemberRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRemoved" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
ChatName	`target.group.group_display_name`
ChatThreadId	target.user.group_identifiers target.group.product_object_id

TabRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "TabRemoved" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
AddOnGuid	`target.resource.product_object_id`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
AddOnName	`target.resource.name`
ChannelName	`target.resource.attribute.labels.key/value`
TeamName	`target.group.group_display_name`

AppUninstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppUninstalled" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	`target.resource.product_object_id`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.resource.name`
Version	`metadata.product_version`
AppDistributionMode	`about.labels.key/value` (deprecated)
AppDistributionMode	`additional.fields.key` and `additional.fields.value.string_value`
AzureADAppId	`about.labels.key/value` (deprecated)
AzureADAppId	`additional.fields.key` and `additional.fields.value.string_value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.product_object_id`

MemberAdded

The following table lists the log fields and corresponding UDM mappings for the operation "MemberAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
ChatName	`target.group.group_display_name`
ChatThreadId	target.user.group_identifiers target.group.product_object_id

TabAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TabAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
AddOnGuid	`target.resource.product_object_id`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
AddOnName	`target.resource.name`
AddOnUrl	`target.url`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
TeamName	`target.group.group_display_name`

ClockedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedOut" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
ScheduleId	`target.resource.product_object_id`

TeamCreated

The following table lists the log fields and corresponding UDM mappings for the operation "TeamCreated" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	`target.resource.product_object_id`
TeamName	`target.resource.name`
Version	`metadata.product_version`

BotAddedToTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotAddedToTeam" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid	`target.resource.product_object_id`
AddOnName	`target.resource.name`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ChannelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.resource.product_object_id`
ChannelName	`target.resource.name`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ConnectorAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorAdded" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ChannelSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelSettingChanged" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.resource.product_object_id`
ChannelName	`target.resource.name`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

TeamsTenantSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsTenantSettingChanged" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

MemberRoleChanged

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRoleChanged" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name DisplayName is mapped to about.user.user_display_name Role is mapped to about.user.attribute.roles.name UPN is mapped to about.user.email_addresses
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

DeletedAllOrganizationApps

The following table lists the log fields and corresponding UDM mappings for the operation "DeletedAllOrganizationApps" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ChannelDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.resource.product_object_id`
ChannelName	`target.resource.name`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

TeamDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamDeleted" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	`target.resource.product_object_id`
TeamName	`target.resource.name`

BotRemovedFromTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotRemovedFromTeam" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ConnectorRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorRemoved" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

ConnectorUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorUpdated" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	`about.user.email_addresses`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`

TabUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "TabUpdated" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.resource.name`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.resource.attribute.labels.key/value`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
Name	`target.resource.attribute.labels.key`
NewValue	`target.resource.attribute.labels.value`
SubscriptionId	`target.resource.attribute.labels.key/value`
TabType	`target.labels.key/value` (deprecated)
TabType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
AddOnUrl	`target.url`

Update

The following table lists the log fields and corresponding UDM mappings for the operation "Update" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	If the `LogonType` log field value is equal to `2`, then the `extensions.auth.mechanism` UDM field is set to `INTERACTIVE`. Else, if the `LogonType` log field value is equal to `3` or `8`, then the `extensions.auth.mechanism` UDM field is set to `NETWORK`. Else, if the `LogonType` log field value is equal to `4`, then the `extensions.auth.mechanism` UDM field is set to `BATCH`. Else, if the `LogonType` log field value is equal to `5`, then the `extensions.auth.mechanism` UDM field is set to `SERVICE`. Else, if the `LogonType` log field value is equal to `7`, then the `extensions.auth.mechanism` UDM field is set to `UNLOCK`. Else, if the `LogonType` log field value is equal to `9`, then the `extensions.auth.mechanism` UDM field is set to `NEW_CREDENTIALS`. Else, if the `LogonType` log field value is equal to `9`, then the `extensions.auth.mechanism` UDM field is set to `REMOTE_INTERACTIVE`. Else, if the `LogonType` log field value is equal to `9`, then the `extensions.auth.mechanism` UDM field is set to `CACHED_INTERACTIVE`. Else, the `extensions.auth.mechanism` UDM field is set to `MECHANISM_UNSPECIFIED`.
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Item	network.email.subject target.resource.product_object_id target.resource.name target.file.size network.email.mail_id target.file.full_path Id is mapped to target.resource.product_object_id Subject is mapped to network.email.subject SizeInBytes is mapped to target.file.size Item.ParentFolder.Path is mapped to target.resource.name InternetMessageId is mapped to network.email.mail_id Attachments is mapped to target.file.full_path
ModifiedProperties	`securiy_result.summary`
SessionId	`network.session_id`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

FolderBind

The following table lists the log fields and corresponding UDM mappings for the operation "FolderBind" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
Item	target.resource.product_object_id target_resource_name network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name
SessionId	`network.session_id`
Version	`metadata.product_version`

SendOnBehalf

The following table lists the log fields and corresponding UDM mappings for the operation "SendOnBehalf" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.email_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id
SessionId	`network.session_id`
SendOnBehalfOfUserSmtp	target.user.userid or target.user.email_addresses
Version	`metadata.product_version`

SendAs

The following table lists the log fields and corresponding UDM mappings for the operation "SendAs" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
SendAsUserMailboxGuid	`about.labels.key/value` (deprecated)
SendAsUserMailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id
SessionId	`network.session_id`
SendAsUserSmtp	target.user.userid or target.user.email_addresses
Version	`metadata.product_version`

Send

The following table lists the log fields and corresponding UDM mappings for the operation "Send" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id
SessionId	`network.session_id`
Version	`metadata.product_version`

New-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-InboxRule" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
SessionId	`network.session_id`
Version	`metadata.product_version`
Parameters	`security_result.rule_labels.key/value`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`

Set-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-InboxRule" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION ObjectId is set to target.group.product_object_id target.resource.resource_type is set to SETTING
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`security_result.rule_labels.key/value`
SessionId	`network.session_id`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MoveToDeletedItems

The following table lists the log fields and corresponding UDM mappings for the operation "MoveToDeletedItems" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
DestFolder	target.resource.product_object_id target.resource.name
SessionId	`network.session_id`
Version	`metadata.product_version`
AffectedItems	about.file.full_path network.email.subject network.email.mail_id Subject is mapped to network.email.subject ParentFolder.Path is mapped to about.file.full_path AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id
Folder	src.resource.product_object_id src.resource.name
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`

Move

The following table lists the log fields and corresponding UDM mappings for the operation "Move" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
DestFolder	target.resource.product_object_id target.resource.name
SessionId	`network.session_id`
Version	`metadata.product_version`
AffectedItems	about.file.full_path network.email.subject network.email.mail_id
Folder	src.resource.product_object_id src.resource.name

MailItemsAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "MailItemsAccessed" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
OperationProperties	`security_result.detection_fields.key/value.`
SessionId	`network.session_id`
Version	`metadata.product_version`
OperationCount	`about.labels.key/value` (deprecated)
OperationCount	`additional.fields.key` and `additional.fields.value.string_value`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
Folders	about.resource.name about.resource.product_object_id network.email.mail_id Folders.Path is mapped to about.resource.name Folders.Id is mapped to about.resource.product_object_id Folders.0.FolderItems.0.InternetMessageId network_email_id

MailboxLogin

The following table lists the log fields and corresponding UDM mappings for the operation "MailboxLogin" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN auth.Type is MACHINE
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
SessionId	`network.session_id`
Version	`metadata.product_version`

SoftDelete

The following table lists the log fields and corresponding UDM mappings for the operation "SoftDelete" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AffectedItems	about.file.full_path network.email.subject network.email.mail_id AffectedItems.Attachments is mapped to about.file.full_path AffectedItems.Subject is mapped to network.email.subject AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id
Folder	target.resource.name target.resource.product_object_id Folder.Path is mapped to target.resource.name Folder.Id is mapped to target.resource.product_object_id
SessionId	`network.session_id`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

HardDelete

The following table lists the log fields and corresponding UDM mappings for the operation "HardDelete" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
AffectedItems	about.file.full_path network.email.subject network.email.mail_id
Version	`metadata.product_version`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
Folder	target.resource.name target.resource.product_object_id

Create

The following table lists the log fields and corresponding UDM mappings for the operation "Create" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
Item	target.resource.name target.resource.product_object_id target.file.full_path network.email.subject network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name Item.Subject is mapped to network.email.subject Attachment may present or not in log so write grok for this. Item.Attachments is mapped to target.file.full_path
SessionId	`network.session_id`
Version	`metadata.product_version`

RemoveFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveFolderPermissions" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
Item	target.file.full_path target.resource.attribute.permissions.name target.user.email_addresses or target.user.userid Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid Item.ParentFolder.Path is mapped to target.file.full_path User rights is mapped to target.resource.attribute.permissions.name
SessionId	`network.session_id`
Version	`metadata.product_version`

ModifyFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "ModifyFolderPermissions" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
Item	target.file.full_path target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name
SessionId	`network.session_id`
Version	`metadata.product_version`

AddFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "AddFolderPermissions" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
Item	target.file.full_path target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name Path is mapped to target.file.full_path Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid User Rights is mapped to target.resource.attribute.permissions.name
SessionId	`network.session_id`
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`

Remove-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MailboxPermission" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`

Add-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Add-MailboxPermission" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`
Version	`metadata.product_version`
AppId	`target.resource.attribute.labels.key/value`
Parameters	`security_result.detection_fields.key/value`
ObjectId	`target.resource.attribute.labels.key/value`

UpdateInboxRules

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateInboxRules" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`
Version	`metadata.product_version`
Item	target.resource.product_object_id target.resource.name Item.ParentFolder.name is mapped to target.resource.name Item.ParentFolder.id is mapped to target.resource.product_object_id
OperationProperties	security_result.rule_id security_result.rule_name security_result.detection_fields.key/value if Name is RuleId then Value is mapped to security_result.rule_id if Name is RuleName then Value is mapped to security_result.rule_name else security_result.detection_fields.key/value
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateCalendarDelegation

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateCalendarDelegation" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is SERVICE_ACCOUNT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`

ApplyRecordLabel

The following table lists the log fields and corresponding UDM mappings for the operation "ApplyRecordLabel" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`

UpdateFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolderPermissions" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`

Set-User

The following table lists the log fields and corresponding UDM mappings for the operation "Set-User" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION ObjectId is set to target.user.userid or target.user.email_addresses
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
Version	`metadata.product_version`

ViewReport

The following table lists the log fields and corresponding UDM mappings for the operation "ViewReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.name`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is mapped to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
ConsumptionMethod	`target.labels.key/value` (deprecated)
ConsumptionMethod	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.attribute.label.key/value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkspaceId	`target.resource.attribute.labels.key/value`

GenerateEmbedToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateEmbedToken" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is set to target.file.full_path
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
ConsumptionMethod	`target.labels.key/value` (deprecated)
ConsumptionMethod	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.attribute.label.key/value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ReportId	`target.resource.attribute.labels.key/value`
ReportType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkspaceId	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
EmbedTokenId	`target.resource.product_object_id`
RLSIdentities	about.user.email_addresses about.user.attribute.roles.name RLSIdentities.UserName is mapped to about.user.email_addresses RLSIdentities.Roles is mapped to about.user.attribute.roles.name

CreateDataset

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataset" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.name`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

GenerateCustomVisualAADAccessToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateCustomVisualAADAccessToken" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
CustomVisualAccessTokenResourceId	`target.resource.product_object_id`
CustomVisualAccessTokenSiteUri	`target.url`

DeleteOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteOrganizationalGalleryItem" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationalGalleryItemId	`target.resource.product_object_id`
OrganizationalGalleryItemDisplayName	`target.resource.name`
OrganizationalGalleryItemPublishTime	`target.resource.attribute.labels.key/value`

DeleteAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteAlmPipeline" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineId	`target.labels.key/value` (deprecated)
DeploymentPipelineId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineObjectId	`target.resource.product_object_id`

AddDatasourceToGateway

The following table lists the log fields and corresponding UDM mappings for the operation "AddDatasourceToGateway" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
GatewayId	`target.resource.attribute.labels.key/value`
GatewayType	`target.labels.key/value` (deprecated)
GatewayType	`additional.fields.key` and `additional.fields.value.string_value`
DatasourceId	`target.resource.product_object_id`
DatasourceType	`target.resource.attribute.labels.key/value`

AssignWorkspaceToPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "AssignWorkspaceToPipeline" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`principal.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`principal.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineId	`target.labels.key/value` (deprecated)
DeploymentPipelineId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineObjectId	`target.resource.product_object_id`
DeploymentPipelineStageOrder	`target.labels.key/value` (deprecated)
DeploymentPipelineStageOrder	`additional.fields.key` and `additional.fields.value.string_value`

CancelDataflowRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "CancelDataflowRefresh" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
DataflowType	`target.resource.attribute.labels.key/value`

ChangeCapacityState

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeCapacityState" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
CapacityName	`target.resource.name`
CapacityUsers	`about.labels.key/value` (deprecated)
CapacityUsers	`additional.fields.key` and `additional.fields.value.string_value`
CapacityState	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

ChangeGatewayAdministrators

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeGatewayAdministrators" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
GatewayId	`target.resource.product_object_id`
UserInformation	`about.user.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

InsertOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "InsertOrganizationalGalleryItem" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
OrganizationalGalleryItemId	`target.resource.product_object_id`
OrganizationalGalleryItemDisplayName	`target.resource.name`
OrganizationalGalleryItemPublishTime	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

CreateAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "CreateAlmPipeline" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
DeploymentPipelineId	`target.labels.key/value` (deprecated)
DeploymentPipelineId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineObjectId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

CreateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.name`
WorkspaceId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

CreateDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION If IsSuccess is true then security_result.summary is Dashboard created successfully else security_result.summary is Dashboard not created
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardId	`target.resource.product_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

CreateDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_CREATION If IsSuccess is true then security_result.summary is Dataflow created successfully else security_result.summary is Dataflow not created
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DataflowType	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`

CreateEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "CreateEmailSubscription" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION If IsSuccess is true then security_result.summary is EmailSubscription created successfully else security_result.summary is EmailSubscription not created ObjectId is set to target.file.full_path
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
SubscriptionSchedule	`target.labels.key/value` (deprecated)
SubscriptionSchedule	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
SubscribeeInformation	`network.email.to`
DashboardId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`

CreateFolder

The following table lists the log fields and corresponding UDM mappings for the operation "CreateFolder" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
FolderDisplayName	`target.resource.name`
FolderObjectId	`target.resource.attribute.labels.key/value`

CreateGateway

The following table lists the log fields and corresponding UDM mappings for the operation "CreateGateway" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
GatewayId	`target.resource.product_object_id`
GatewayType	`target.labels.key/value` (deprecated)
GatewayType	`additional.fields.key` and `additional.fields.value.string_value`

CreateTemplateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTemplateApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppObjectId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteComment

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteComment" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
AuditedArtifactInformation	target.resource.name target.resource.product_object_id target.resource.attribute.labels.key/value Name is mapped to target.resource.name ArtifactObjectId is set to target.resource.product_object_id AnnotatedItemType is mapped to target.resource.attribute.labels.key/value
WorkspaceId	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`

DeleteDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DashboardId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
DashboardName	`target.resource.name`
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

DeleteDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
DataflowType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteDataset

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataset" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteEmailSubscription" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_DELETION ObjectId is set to target.file.full_path
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DashboardId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`

DeleteFolder

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteFolder" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION if isSuccess is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
FolderObjectId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteGateway

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteGateway" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
GatewayId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteGroup

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteGroup" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.name`
WorkspaceId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

DeleteReport

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.attribute.label.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`

DownloadReport

The following table lists the log fields and corresponding UDM mappings for the operation "DownloadReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.attribute.label.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`

EditDataset

The following table lists the log fields and corresponding UDM mappings for the operation "EditDataset" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

EditDatasetProperties

The following table lists the log fields and corresponding UDM mappings for the operation "EditDatasetProperties" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetCertificationStage	`target.resource.attribute.labels.key/value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

EditReport

The following table lists the log fields and corresponding UDM mappings for the operation "EditReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.attribute.label.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
ReportId	`target.resource.attribute.labels.key/value`
ReportType	`target.resource.attribute.labels.key/value`

ExportDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "ExportDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED if isSuccess is TRUE then security_result.summary is Dataflow Exported Successfully else security_result.summary is Dataflow Not Exported
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_id`
DataflowName	`target.rsource.name`
DataflowType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

ExportReport

The following table lists the log fields and corresponding UDM mappings for the operation "ExportReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED if isSuccess is TRUE then security_result.summary is Report Exported Successfully else security_result.summary is Report Not Exported
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DatasetId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

InstallApp

The following table lists the log fields and corresponding UDM mappings for the operation "InstallApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

InstallTemplateApp

The following table lists the log fields and corresponding UDM mappings for the operation "InstallTemplateApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppFolderObjectId	`about.labels.key/value` (deprecated)
TemplateAppFolderObjectId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppOwnerTenantObjectId	`principal.user.product_object_id`
TemplateAppVersion	`metadata.product_version`
TemplateAppObjectId	`target.resource.product_object_id`
TemplatePackageName	`target.resource.name`

PostComment

The following table lists the log fields and corresponding UDM mappings for the operation "PostComment" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
AuditedArtifactInformation	target.resource.name target.resource.product_object_id target.resource.attribute.labels.key/value
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

PrintDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "PrintDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardId	`target.resource.product_object_id`
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

PrintReport

The following table lists the log fields and corresponding UDM mappings for the operation "PrintReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.attribute.label.key/value`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

UnassignWorkspaceFromPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "UnassignWorkspaceFromPipeline" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineId	`target.resource.attribute.labels.key/value`
DeploymentPipelineObjectId	`target.resource.product_object_id`

RemoveDatasourceFromGateway

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveDatasourceFromGateway" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
GatewayId	`target.resource.attribute.label.key/value`
DatasourceId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

RenameDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "RenameDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to target.file.full_path
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardId	`target.resource.product_object_id`
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

RequestDataflowRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "RequestDataflowRefresh" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
DataflowRefreshScheduleType	`target.labels.key/value` (deprecated)
DataflowRefreshScheduleType	`additional.fields.key` and `additional.fields.value.string_value`
DataflowType	`target.resource.attribute.label.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

RefreshDataset

The following table lists the log fields and corresponding UDM mappings for the operation "RefreshDataset" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RefreshType	`target.labels.key/value` (deprecated)
RefreshType	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

SensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation "SensitivityLabelApplied" and workload "PowerBI":

Log field	UDM mapping
	`metadata.event_type` is mapped to `SETTING_CREATION`. `target.resource.resource_type` is set to `SETTING`.
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission.recipients	`target.user.email_addresses`
OrgAppPermission.permissions	`target.user.attribute.permissions.name`
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation.RecipientEmail	`about.user.email_addresses`
SharingInformation.RecipientName	`about.user.user_display_name`
SharingInformation.ObjectId	`about.user.product_object_id`
SharingInformation.ResharePermission	`about.user.attribute.permissions.name`
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.attribute.labels.key/value`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelId	`target.resource.product_object_id`
ActionSourceDetail	`principal.labels.key/value` (deprecated)
ActionSourceDetail	`additional.fields.key` and `additional.fields.value.string_value`
LabelEventType	`target.labels.key/value` (deprecated)
LabelEventType	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`
ActionSourceDetail	`principal.labels.key/value` (deprecated)
ActionSourceDetail	`additional.fields.key` and `additional.fields.value.string_value`
ArtifactType	`about.labels.key/value` (deprecated)
ArtifactType	`additional.fields.key` and `additional.fields.value.string_value`

SensitivityLabelRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SensitivityLabelRemoved" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.attribute.labels.key/value`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
OldSensitivityLabelId	`target.resource.product_object_id`
ActionSource	`principal.labels.key/value` (deprecated)
ActionSource	`additional.fields.key` and `additional.fields.value.string_value`
LabelEventType	`target.labels.key/value` (deprecated)
LabelEventType	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`
ActionSourceDetail	`principal.labels.key/value` (deprecated)
ActionSourceDetail	`additional.fields.key` and `additional.fields.value.string_value`
ArtifactType	`about.labels.key/value` (deprecated)
ArtifactType	`additional.fields.key` and `additional.fields.value.string_value`

SetScheduledRefreshOnDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "SetScheduledRefreshOnDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_id`
DataflowName	`target.resource.name`
DataflowType	`target.resource.attribute.label.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

SetScheduledRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "SetScheduledRefresh" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.rsource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
Schedules	`target.labels.key/value` (deprecated)
Schedules	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

ShareDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "ShareDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
DashboardId	`target.resource.product_object_id`
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
WorkspaceId	`target.resource.attribute.labels.key/value`
SharingAction	`about.labels.key/value` (deprecated)
SharingAction	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

ShareReport

The following table lists the log fields and corresponding UDM mappings for the operation "ShareReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
Datasets	about.resource.product_object_id about.resource.name
WorkspaceId	`target.resource.attribute.labels.key/value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ArtifactId	`target.resource.product_object_id`
ArtifactName	`target.resource.name`
SharingAction	`about.labels.key/value` (deprecated)
SharingAction	`additional.fields.key` and `additional.fields.value.string_value`
ShareLinkId	`about.labels.key/value` (deprecated)
ShareLinkId	`additional.fields.key` and `additional.fields.value.string_value`

OptInForProTrial

The following table lists the log fields and corresponding UDM mappings for the operation "OptInForProTrial" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UnpublishApp

The following table lists the log fields and corresponding UDM mappings for the operation "UnpublishApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkspaceId	`target.resource.product_object_id`
WorkSpaceName	`target.resource.name`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateOrganizationalGalleryItem" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationalGalleryItemId	`target.resource.product_object_id`
OrganizationalGalleryItemDisplayName	`target.resource.name`
OrganizationalGalleryItemPublishTime	`target.resource.attribute.labels.key/value`

UpdateAlmPipelineAccess

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateAlmPipelineAccess" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DeploymentPipelineObjectId	`target.resource.product_object_id`
DeploymentPipelineDisplayName	`target.resource.name`
DeploymentPipelineAccesses	about.user.userid about.user.attribute.permissions.name userid is mapped to about.user.userid Rolepermission is mapped to about.user.attribute.permissions.name

UpdateInstalledTemplateAppParameters

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateInstalledTemplateAppParameters" and workload "and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppObjectId	`target.resource.product_object_id`
TemplatePackageName	`target.resource.name`
TemplateAppVersion	`metadata.product_version`
TemplateAppFolderObjectId	`about.labels.key/value` (deprecated)
TemplateAppFolderObjectId	`additional.fields.key` and `additional.fields.value.string_value`

UpdatedAdminFeatureSwitch

The following table lists the log fields and corresponding UDM mappings for the operation "UpdatedAdminFeatureSwitch" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is mapped to SETTING
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateApp

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateApp" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.name`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
WorkspaceId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
DataflowType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateDatasetParameters

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDatasetParameters" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`

UpdateEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateEmailSubscription" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION target.resource.type is mapped to TASK
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
SubscriptionSchedule	`target.labels.key/value` (deprecated)
SubscriptionSchedule	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
SubscribeeInformation	`network.email.to`
DashboardId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`

UpdateFolder

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolder" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
FolderObjectId	`target.resource.product_object_id`
FolderDisplayName	`target.resource.name`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateFolderAccess

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolderAccess" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
FolderObjectId	`target.resource.product_object_id`
FolderDisplayName	`target.resource.name`
FolderAccessRequests	about.user.userid about.user.product_object_id about.user.attribute.permissions.type UserId is mapped to about.user.userid UserObjectId is set to about.user.product_object_id RolePermissions is mapped to about.user.attribute.permissions.type
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateDatasourceCredentials

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDatasourceCredentials" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
GatewayId	`target.resource.attribute.labels.key/value`
DatasourceId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

UpdateTemplateAppSettings

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTemplateAppSettings" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppObjectId	`target.resource.product_object_id`

UpdateTemplateAppTestPackagePermissions

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTemplateAppTestPackagePermissions" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateAppObjectId	`target.resource.product_object_id`

ViewDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDashboard" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ConsumptionMethod	`target.labels.key/value` (deprecated)
ConsumptionMethod	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
DashboardId	`target.resource.product_object_id`
WorkspaceId	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.name`
WorkSpaceName	`target.resource.attribute.labels.key/value`

ViewDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDataflow" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
CapacityId	`about.labels.key/value` (deprecated)
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityName	`about.labels.key/value` (deprecated)
CapacityName	`additional.fields.key` and `additional.fields.value.string_value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
DataflowType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelId	`security_result.detection_fields.key/value`

AddTile

The following table lists the log fields and corresponding UDM mappings for the operation "AddTile" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.name`
WorkspaceId	`target.resource.product_object_id`
TileText	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

RunEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "RunEmailSubscription" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.label.key/value`
DashboardName	`target.resource.name`
WorkspaceId	`target.resource.attribute.label.key/value`
DashboardId	`target.resource.product_object_id`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

CreateReport

The following table lists the log fields and corresponding UDM mappings for the operation "CreateReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.label.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
WorkspaceId	`target.resource.attribute.label.key/value`
DatasetId	`target.resource.attribute.label.key/value`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

GetSnapshots

The following table lists the log fields and corresponding UDM mappings for the operation "GetSnapshots" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

OptInForPPUTrial

The following table lists the log fields and corresponding UDM mappings for the operation "OptInForPPUTrial" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

Set-MailUser

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailUser" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	`metadata.product_version`

Set-MailContact

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailContact" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	`metadata.product_version`

Set-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Mailbox" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED Object is mapped to target.group.group_display_name
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`

Set-DistributionGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-DistributionGroup" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is Group members definition ResultStatus is True Action is set to ALLOW else Action is set to BLOCK
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.group.product_object_id or target.group.email_addresses security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description else target.group.attribute.labels.key/value
SessionId	`network.session_id`
Version	`metadata.product_version`

Set-Contact

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Contact" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	`metadata.product_version`

Set-CASMailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CASMailbox" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
ModifiedObjectResolvedName	`about.labels.key/value` (deprecated)
ModifiedObjectResolvedName	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`

Set-CalendarProcessing

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CalendarProcessing" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.user.user_display_name If Name is ResourceDelegates then Value is mapped to target.user.user_display_name
SessionId	`network.session_id`
Version	`metadata.product_version`

Set-AdminAuditLogConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-AdminAuditLogConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. ObjectId is mapped to target.url target.resource.resource_type is set to SETTING
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
ModifiedObjectResolvedName	`about.labels.key/value` (deprecated)
ModifiedObjectResolvedName	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`

Remove-UnifiedGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-UnifiedGroup" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
Version	`metadata.product_version`

Remove-MigrationUser

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MigrationUser" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION ObjectId is set to target.user.userid or target.user.email_addresses
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`

Update-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Update-eDiscoveryCaseAdmin" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-DistributionGroupMember" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name else target.group.attribute.labels.key/value
Version	`metadata.product_version`

ViewedSearchExported

The following table lists the log fields and corresponding UDM mappings for the operation "ViewedSearchExported" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

AddWorkingSetQueryToWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "AddWorkingSetQueryToWorkingSet" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

AddQueryToWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "AddQueryToWorkingSet" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

RunAlgo

The following table lists the log fields and corresponding UDM mappings for the operation "RunAlgo" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

AnnotateDocument

The following table lists the log fields and corresponding UDM mappings for the operation "AnnotateDocument" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

BurnJob

The following table lists the log fields and corresponding UDM mappings for the operation "BurnJob" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

CreateWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "CreateWorkingSet" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

CreateWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "CreateWorkingsetSearch" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

CreateTag

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTag" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

DeleteWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteWorkingsetSearch" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

DeleteTag

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteTag" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

DownloadDocument

The following table lists the log fields and corresponding UDM mappings for the operation "DownloadDocument" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

UpdateTag

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTag" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

ExportJob

The following table lists the log fields and corresponding UDM mappings for the operation "ExportJob" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

UpdateCaseSettings

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateCaseSettings" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

UpdateWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateWorkingsetSearch" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

TagFiles

The following table lists the log fields and corresponding UDM mappings for the operation "TagFiles" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

ViewDocument

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDocument" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
StartTime	`target.resource.attribute.creation_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

SearchViewed

The following table lists the log fields and corresponding UDM mappings for the operation "SearchViewed" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id If Name is SearchIds then Value is mapped to target.resource.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

CaseMemberAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberAdded" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member\|User) \{DATA:target_user}\ } }
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

SearchUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

CaseAdminUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	about.user.email_address about.user.product_object_id If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

CaseUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

CaseMemberUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resrource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchPermissionUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExtendedProperties	`principal.labels.key/value` (deprecated)
ExtendedProperties	`additional.fields.key` and `additional.fields.value.string_value`
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

HoldUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "HoldUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SearchRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

CaseAdminRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line target.user.email_address target.user.userid If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} target_user is mapped to target.user.email_addresses or target.user.userid
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

CaseRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_detail`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchPermissionRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`principal.labels.key/value` (deprecated)
ExtendedProperties	`additional.fields.key` and `additional.fields.value.string_value`
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

HoldRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "HoldRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

HoldCreated

The following table lists the log fields and corresponding UDM mappings for the operation "HoldCreated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCreated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_detail`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_detail`
Query	`security_result.description`
SharepointLocations	`security_result.category_detail`

CaseAdminAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminAdded" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.prdouct_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchStarted

The following table lists the log fields and corresponding UDM mappings for the operation "SearchStarted" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

SearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "SearchReport" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value`
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

SearchStopped

The following table lists the log fields and corresponding UDM mappings for the operation "SearchStopped" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_detail`

CaseViewed

The following table lists the log fields and corresponding UDM mappings for the operation "CaseViewed" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_detail`
ExtendedProperties	target.resource.product_object_id about.user.email_addresses about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_detail`
Query	`security_result.description`
SharepointLocations	`security_result.category_detail`

SearchExportDownloaded

The following table lists the log fields and corresponding UDM mappings for the operation "SearchExportDownloaded" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	`metadata.product_version`

CaseMemberRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberRemoved" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member\|User) \{DATA:target_user}\ } }
Version	`metadata.product_version`

CaseAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdded" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

SearchPermissionCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionCreated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`principal.labels.key/value` (deprecated)
ExtendedProperties	`additional.fields.key` and `additional.fields.value.string_value`
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`
Version	`metadata.product_version`

NetworkConfigurationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkConfigurationUpdated" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

ProcessProfileFields

The following table lists the log fields and corresponding UDM mappings for the operation "ProcessProfileFields" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

SupervisorAdminToggled

The following table lists the log fields and corresponding UDM mappings for the operation "SupervisorAdminToggled" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

NetworkSecurityConfigurationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkSecurityConfigurationUpdated" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

FileCreated

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreated" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE { security_result.action is ALLOW} else {security_result.action is BLOCK}
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

GroupCreation

The following table lists the log fields and corresponding UDM mappings for the operation "GroupCreation" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MessageDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "MessageDeleted" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

GroupDeletion

The following table lists the log fields and corresponding UDM mappings for the operation "GroupDeletion" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

DataExport

The following table lists the log fields and corresponding UDM mappings for the operation "DataExport" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

FileVisited

The following table lists the log fields and corresponding UDM mappings for the operation "FileVisited" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_READ If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

StreamInvokeVideoView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoView" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoShare

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoShare" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoLike

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoLike" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoUnLike

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoUnLike" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoUpload" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoDownload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoDownload" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoSetLink

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoSetLink" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamCreateGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateGroup" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditGroup" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamDeleteGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteGroup" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditGroupMemberships

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditGroupMemberships" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamCreateChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateChannel" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditChannel" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`network.http.referral_url`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamDeleteChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteChannel" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`network.http.referral_url`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeChannelSetThumbnail

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeChannelSetThumbnail" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`network.http.referral_url`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditVideoPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditVideoPermissions" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is Succeeded then action is ALLOW else action is BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditVideo" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamDeleteVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideo" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditUserSettings

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditUserSettings" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamEditAdminTenantSettings

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditAdminTenantSettings" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamCreateVideoComment

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateVideoComment" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamDeleteVideoComment

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideoComment" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoTextTrackUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoTextTrackUpload" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamDeleteVideoTextTrack

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideoTextTrack" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoThumbnailUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoThumbnailUpload" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is Succeeded then action is ALLOW else action is BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamCreateVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateVideo" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url_back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

DlpRuleMatch

The following table lists the log fields and corresponding UDM mappings for the operation DlpRuleMatch and workload Exchange ,SharePoint or OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `EMAIL_TRANSACTION` `security_result.category` is set to `DATA_EXFILTRATION` `ObjectId` is set to `network.email.mail_id`
SharePointMetaData	`network.http.referral_url` `network.email.from` `target.file.full_path` `target.url` `target.file.size` `SiteCollectionUrl` is mapped to `network.http.referral_url` `From` is mapped to `network.email.from` (if `ExchangeMetadata` field not getting in log) `FileName` is mapped to `target.file.full_path` `FilePathUrl` is mapped to `target.url` `FileSize` is mapped to `target.file.size`
ExchangeMetaData	`network.email.from` `network.email.to` `network.email.bcc` `network.email.cc` `network.email.subject` `additional.fields.key` and `additional.fields.value.string_value` The `From` log field value is mapped to the `network.email.from` UDM field. The `To` log field value is mapped to the `network.email.to` UDM field. `BCC` log field value is mapped to `network.email.bcc` UDM field. The`CC` log field value is mapped to the `network.email.cc` UDM field. The `RecipientCount` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields. The `Sent` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ExceptionInfo	`about.labels.key/value` (deprecated)
ExceptionInfo	`additional.fields.key` and `additional.fields.value.string_value`
PolicyDetails	`target.resource.product_object_id` `security_result.summary` `security_result.description` `security_result.rule_id` `security_result.rule_name` `security_result.severity` `security_result.confidence_details` `security_result.detection_fields.key/value` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `SensitiveInformationTypeName` is mapped to `security_result.description` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name` `Severity` is mapped to `security_result.severity` `SensitiveInformationDetailedClassificationAttributes.Confidence` is mapped to `security_result.confidence_details` `SensitiveInformationDetailedClassificationAttributes.Count` is mapped to `security_result.detection_fields.key/value`
IncidentId	`about.labels.key/value` (deprecated)
IncidentId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

DlpRuleUndo

The following table lists the log fields and corresponding UDM mappings for the operation "DlpRuleUndo" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id
SharePointMetaData	network.http.referral_url network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size
ExceptionInfo	`about.labels.key/value` (deprecated)
ExceptionInfo	`additional.fields.key` and `additional.fields.value.string_value`
PolicyDetails	target.resource.product_object_id security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity
IncidentId	`about.labels.key/value` (deprecated)
IncidentId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

DlpInfo

The following table lists the log fields and corresponding UDM mappings for the operation "DlpInfo" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id
SharePointMetaData	network.http.referral_url network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size
ExceptionInfo	`about.labels.key/value` (deprecated)
ExceptionInfo	`additional.fields.key` and `additional.fields.value.string_value`
PolicyDetails	target.resource.product_object_id security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity
IncidentId	`about.labels.key/value` (deprecated)
IncidentId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

MipLabel

The following table lists the log fields and corresponding UDM mappings for the operation "MipLabel" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to network.email.mail_id
ApplicationMode	`about.labels.key/value` (deprecated)
ApplicationMode	`additional.fields.key` and `additional.fields.value.string_value`
ItemName	`network.email.subject`
LabelAppliedDateTime	`principal.labels.key/value` (deprecated)
LabelAppliedDateTime	`additional.fields.key` and `additional.fields.value.string_value`
LabelId	`target.resource.product_object_id`
LabelName	`target.resource.name`
Receivers	`network.email.to`
Sender	`network.email.from`
Version	`metadata.product_version`

SiteCollectionCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionCreated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
CorrelationId	`security_result.detection_fields.key/value`
EventData	`target.resource.name`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`
Version	`metadata.product_version`

SiteDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "SiteDeleted" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListItemUniqueId	`principal.asset_id`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	`target.file.mime_type`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`
MachineId	`target.asset.product_object_id`

PreviewModeEnabledSet

The following table lists the log fields and corresponding UDM mappings for the operation "PreviewModeEnabledSet" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is mapped to SETTING
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

OfficeOnDemandSet

The following table lists the log fields and corresponding UDM mappings for the operation "OfficeOnDemandSet" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

HubSiteJoined

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteJoined" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
EventData	target.resource.attribute.labels.key/value target.resource.attribute.labels.key/value PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

HubSiteRegistered

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteRegistered" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
EventData	target.resource.attribute.labels.key/value target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

HubSiteUnjoined

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteUnjoined" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectID is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
EventData	target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

HubSiteUnregistered

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteUnregistered" and workload "HubSiteUnregistered":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectID is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
EventData	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

SharingPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "SharingPolicyChanged" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
CorrelationId	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
AssertingApplicationId	`about.labels.key/value` (deprecated)
AssertingApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

NetworkAccessPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkAccessPolicyChanged" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.ip` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` (deprecated) If the `Name` log field value is equal to `IPAddressAllowList`, then the `NewValue` log field value is mapped to the `target.ip` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

AlertEntityGenerated

The following table lists the log fields and corresponding UDM mappings for the operation "AlertEntityGenerated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	`target.resource.product_object_id`
AlertType	`target.resource.attribute.labels.key/value`
Name	`security_result.summary`
PolicyId	`target.labels.key/value` (deprecated)
PolicyId	`additional.fields.key` and `additional.fields.value.string_value`
Status	`target.resource.attribute.labels.key/value`
Severity	`security_result.severity`
Category	`security_result.category_details`
Source	`security_result.description`
Comments	`about.labels.key/value` (deprecated)
Comments	`additional.fields.key` and `additional.fields.value.string_value`
Data	`about.labels.key/value` (deprecated)
Data	`additional.fields.key` and `additional.fields.value.string_value`
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

AlertTriggered

The following table lists the log fields and corresponding UDM mappings for the operation "AlertTriggered" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	`target.resource.product_object_id`
AlertType	`target.resource.attribute.labels.key/value`
Name	`security_result.summary`
PolicyId	`target.labels.key/value` (deprecated)
PolicyId	`additional.fields.key` and `additional.fields.value.string_value`
Status	`target.resource.attribute.labels.key/value`
Severity	`security_result.severity`
Category	`security_result.category_details`
Source	`security_result.description`
Comments	`about.labels.key/value` (deprecated)
Comments	`additional.fields.key` and `additional.fields.value.string_value`
Data	`about.labels.key/value` (deprecated)
Data	`additional.fields.key` and `additional.fields.value.string_value`
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

AlertUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AlertUpdated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	`target.resource.product_object_id`
AlertType	`target.resource.attribute.labels.key/value`
Name	`security_result.summary`
PolicyId	`target.labels.key/value` (deprecated)
PolicyId	`additional.fields.key` and `additional.fields.value.string_value`
Status	`target.resource.attribute.labels.key/value`
Severity	`security_result.severity`
Category	`security_result.category_details`
Source	`security_result.description`
Comments	`about.labels.key/value` (deprecated)
Comments	`additional.fields.key` and `additional.fields.value.string_value`
Data	`about.labels.key/value` (deprecated)
Data	`additional.fields.key` and `additional.fields.value.string_value`
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	`target.resource.attribute.labels.key/value`
Version	`metadata.product_version`

Get-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceCase" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Set-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

New-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Set-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Get-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

New-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceCase" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.process.command_line target.resource.name
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceCase" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Set-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceCase" and workload "Set-ComplianceCase":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Add-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Update-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

New-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Set-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Start-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Start-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Stop-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Stop-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

New-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

New-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Set-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Add-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Add-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Remove-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

New-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-AadProtectionLevel

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AadProtectionLevel" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-AutoSensitivityLabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AutoSensitivityLabelPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-DlpSensitiveInformationType

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpSensitiveInformationType" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-Label

The following table lists the log fields and corresponding UDM mappings for the operation "Get-Label" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-LabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-LabelPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-PolicyConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Get-PolicyConfig" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

ValidaterbacAccessCheck

The following table lists the log fields and corresponding UDM mappings for the operation "ValidaterbacAccessCheck" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`security_result.description`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

ApplicableAdaptiveScopeChange

The following table lists the log fields and corresponding UDM mappings for the operation "ApplicableAdaptiveScopeChange" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.resource.product_object_id If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id
CorrelationId	`security_result.detection_fields`
ObjectType	`security_result.summary`

NewComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "NewComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

NewRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "NewRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

NewRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "NewRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

RemoveComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

RemoveRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "SetComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "SetRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "SetRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

Get-CsTeamsUpgradeOverridePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CsTeamsUpgradeOverridePolicy" and workload "SkypeForBusiness":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	`metadata.product_version`
Parameters	security_result.description If Name is Tenant then Value is mapped to tenate_value If Name is Identity then Vale is mapped to identity_value security_result.description is Tenant = {tenate_value} / Identity = {identity_value}
SkypeForBusinessEventType	`about.labels.key/value` (deprecated)
SkypeForBusinessEventType	`additional.fields.key` and `additional.fields.value.string_value`
TenantName	`target.resource.product_object_id`
Version	`metadata.product_version`

TeamsAdminAction

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsAdminAction" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS If ResultStatus is Succeeded then Action is set to ALLOW If ResultStatus is Failed then Action is set to BLOCK
AdminActionDetail	`security_result.summary`
ClientApplication	`network.http.user_agent`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
UserClaims	`security_result.description`
Version	`metadata.product_version`

Update-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-DistributionGroupMember" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
ClientVersion	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	security_result.description target.group.product_object_id or target.group.email_addresses target.group.attribute.labels.key/value If Name is Members then Value is mapped to security_result.description If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
SessionId	`network.session_id`
Version	`metadata.product_version`

SupervisoryReviewOLAudit

The following table lists the log fields and corresponding UDM mappings for the operation "SupervisoryReviewOLAudit" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION extract auditscore form ResultStatus using ResultStatus .*?Score:{auditScore} and map with security_result.confidenece_details is {auditScore} security_result.confidence will map based on auditScore
LogonType	`extensions.auth.mechanism`
InternalLogonType	`about.labels.key/value` (deprecated)
InternalLogonType	`additional.fields.key` and `additional.fields.value.string_value`
MailboxGuid	`target.labels.key/value` (deprecated)
MailboxGuid	`additional.fields.key` and `additional.fields.value.string_value`
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	`target.user.windows_sid`
MailboxOwnerMasterAccountSid	`target.labels.key/value` (deprecated)
MailboxOwnerMasterAccountSid	`additional.fields.key` and `additional.fields.value.string_value`
LogonUserSid	`principal.user.windows_sid`
LogonUserDisplayName	`principal.user.user_display_name`
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientInfoString	`network.http.user_agent`
ClientIPAddress	principal.ip and principal.port
ClientMachineName	`principal.hostname`
ClientProcessName	`principal.process.file.full_path`
ClientVersion	`metadata.product_version`
ExchangeDetails	network.direection network.email.from network.email.mail_id network.email.to network.email.subject If Directionality is Incoming then network.direction is mapped to INBOUND If Directionality is Outgoining then network.direction is mapped to OUTBOUND From is mapped to network.email.from InternetMessageId is mapped to network.email.mail_id Recipients is mapped to network.email.to Subject is mapped to network.email.subject
Version	`metadata.product_version`

CrmDefaultActivity

The following table lists the log fields and corresponding UDM mappings for the operation "CrmDefaultActivity" and workload "CRM":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
CrmOrganizationUniqueName	`principal.resource.name`
InstanceUrl	`target.url`
ItemUrl	`principal.labels.key/value` (deprecated)
ItemUrl	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
Fields	`about.labels.key/value` (deprecated)
Fields	`additional.fields.key` and `additional.fields.value.string_value`
EntityId	`principal.labels.key/value` (deprecated)
EntityId	`additional.fields.key` and `additional.fields.value.string_value`
EntityName	`principal.labels.key/value` (deprecated)
EntityName	`additional.fields.key` and `additional.fields.value.string_value`
Message	`security_result.summary`
Query	`security_result.description`
PrimaryFieldValue	`about.labels.key/value` (deprecated)
PrimaryFieldValue	`additional.fields.key` and `additional.fields.value.string_value`
CorrelationId	`security_result.detection_fields.key/value.`
QueryResults	`about.labels.key/value` (deprecated)
QueryResults	`additional.fields.key` and `additional.fields.value.string_value`
ServiceContextId	`principal.labels.key/value` (deprecated)
ServiceContextId	`additional.fields.key` and `additional.fields.value.string_value`
ServiceContextIdType	`about.labels.key/value` (deprecated)
ServiceContextIdType	`additional.fields.key` and `additional.fields.value.string_value`
ServiceName	`principal.application`
SystemUserId	`principal.labels.key/value` (deprecated)
SystemUserId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

TIMailData

The following table lists the log fields and corresponding UDM mappings for the operation "TIMailData" and workload "ThreatIntelligence":

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION ObjectId is set to metadata.product_log_id
AttachmentData	about.file.full_path about.file.mime_type about.file.sha256 security_result.category_details AttachmentData.FileName is mapped to about.file.full_path AttachmentData.FileType is mapped to about.file.mime_type AttachmentData.SHA256 is mapped to about.file.sha256 AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details
DetectionType	`security_result.summary`
DetectionMethod	`security_result.description`
InternetMessageId	`about.labels.key/value` (deprecated)
InternetMessageId	`additional.fields.key` and `additional.fields.value.string_value`
NetworkMessageId	`about.labels.key/value` (deprecated)
NetworkMessageId	`additional.fields.key` and `additional.fields.value.string_value`
P1Sender	`principal.user.email_addresses`
P2Sender	`network.email.from`
Policy	`security_result.rule_name`
PolicyAction	security_result.action PolicyAction is Quarantine then action is set to QUARANTINE PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION
Recipients	`network.email.to`
SenderIp	`src.ip`
Subject	`network.email.subject`
Verdict	`security_result.category`
MessageTime	`target.resource.attribute.labels.key/value`
EventDeepLink	`metadata.url_back_to_product`
DeliveryAction	`about.labels.key/value` (deprecated)
DeliveryAction	`additional.fields.key` and `additional.fields.value.string_value`
OriginalDeliveryLocation	`about.labels.key/value` (deprecated)
OriginalDeliveryLocation	`additional.fields.key` and `additional.fields.value.string_value`
LatestDeliveryLocation	`about.labels.key/value` (deprecated)
LatestDeliveryLocation	`additional.fields.key` and `additional.fields.value.string_value`
Directionality	`network.direction`
ThreatsAndDetectionTech	`about.labels.key/value` (deprecated)
ThreatsAndDetectionTech	`additional.fields.key` and `additional.fields.value.string_value`
AdditionalActionsAndResults	`about.labels.key/value` (deprecated)
AdditionalActionsAndResults	`additional.fields.key` and `additional.fields.value.string_value`
Connectors	`about.labels.key/value` (deprecated)
Connectors	`additional.fields.key` and `additional.fields.value.string_value`
AuthDetails	`about.labels.key/value` (deprecated)
AuthDetails	`additional.fields.key` and `additional.fields.value.string_value`
PhishConfidenceLevel	`about.labels.key/value` (deprecated)
PhishConfidenceLevel	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

SearchMtpStatus

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMtpStatus" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`

RemovedFromSiteCollection

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSiteCollection" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
TargetUserOrGroupType	target.group.group_display_name target.user.userid target.user.email_addresses
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
CorrelationId	`security_result.detection_fields.key/value.`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ApplicationDisplayName	`target.application`

CommentsDisabled

The following table lists the log fields and corresponding UDM mappings for the operation "CommentsDisabled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
SourceRelativeUrl	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ListItemUniqueId	`principal.asset_id`
ListId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`

FileRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileRecycled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
SiteUrl	`network.http.referral_url`
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	`target.file.mime_type`
UserSharedWith	`target.labels.key/value` (deprecated)
UserSharedWith	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
CorrelationId	`security_result.detection_fields.key/value.`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`

CommentsEnabled

The following table lists the log fields and corresponding UDM mappings for the operation "CommentsEnabled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SourceFileExtension	`target.file.mime_type`
SiteUrl	`network.http.referral_url`
SourceFileName	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
ApplicationDisplayName	`target.application`

FolderRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRecycled" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListItemUniqueId	`principal.asset_id`
ListId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`
SiteUrl	`network.http.referral_url`
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	`target.file.mime_type`
UserSharedWith	`target.labels.key/value` (deprecated)
UserSharedWith	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
CorrelationId	`security_result.detection_fields.key/value.`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

FileTranscriptRequested

The following table lists the log fields and corresponding UDM mappings for the operation "FileTranscriptRequested" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListItemUniqueId	`principal.asset_id`
ListId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`
SiteUrl	`network.http.referral_url`
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	`target.file.mime_type`
UserSharedWith	`target.labels.key/value` (deprecated)
UserSharedWith	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
CorrelationId	`security_result.detection_fields.key/value.`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

WACTokenShared

The following table lists the log fields and corresponding UDM mappings for the operation "WACTokenShared" and workload "SharePoint" or "OneDrive":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
ListItemUniqueId	`principal.asset_id`
ListId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application`
SiteUrl	`network.http.referral_url`
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	`target.file.mime_type`
UserSharedWith	`target.labels.key/value` (deprecated)
UserSharedWith	`additional.fields.key` and `additional.fields.value.string_value`
SharingType	`target.labels.key/value` (deprecated)
SharingType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelId	`security_result.detection_fields.key/value`
CorrelationId	`security_result.detection_fields.key/value.`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

Update label

The following table lists the log fields and corresponding UDM mappings for the operation "Update label." and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

SiteLocksChanged

The following table lists the log fields and corresponding UDM mappings for the operation "SiteLocksChanged" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

SiteIBModeSet

The following table lists the log fields and corresponding UDM mappings for the operation "SiteIBModeSet" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED target.resource.resource_type is set to SETTING ObjectId is mapped to target.url If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

SiteDesignInvoked

The following table lists the log fields and corresponding UDM mappings for the operation "SiteDesignInvoked" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
EventData	target.resource.attribute.labels.key/value SiteDesignId is mapped to target.resource.attribute.labels.key/value
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

SiteContentTypeCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteContentTypeCreated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

SiteCollectionQuotaModified

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionQuotaModified" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

ShortcutAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ShortcutAdded" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SourceFileExtension	`target.file.mime_type`
SiteUrl	`network.http.referral_url`
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`

SPOIBIsEnabled

The following table lists the log fields and corresponding UDM mappings for the operation "SPOIBIsEnabled" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`

WebAccessRequestApproverModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebAccessRequestApproverModified" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
ModifiedProperties	`target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `RequestAccessEmail`, then the `NewValue` log field value is mapped to the `target.user.email_addresses` or `target.user.userid` UDM fields. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.

Set-TransportConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-TransportConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	principal.user.email_addresses principal.user.userid If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid

Set-TenantObjectVersion

The following table lists the log fields and corresponding UDM mappings for the operation "Set-TenantObjectVersion" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is `DomainController`, then the `Value` log field is mapped to the `target.administrative_domain` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.

Set-RecipientEnforcementProvisioningPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RecipientEnforcementProvisioningPolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Set-PolicyConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-PolicyConfig" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to ACCESS_POLICY
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Set-OwaMailboxPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-OwaMailboxPolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Set-MailboxPlan

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailboxPlan" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Set-LabelProperties

The following table lists the log fields and corresponding UDM mappings for the operation "Set-LabelProperties" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`

Set-Label

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Label" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Set-ExchangeAssistanceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ExchangeAssistanceConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.url` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `PrivacyStatementURL`, then the `Value` log field is mapped to the `target.url`. Else, the `Value` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.

Set-ConditionalAccessPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ConditionalAccessPolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.resource.name` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `DisplayName`, then the `Value` log field is mapped to the `target.resource.name` UDM field. Else, `Value` log field value is mapped to `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
SessionID	`network.session_id`

New-ConditionalAccessPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-ConditionalAccessPolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.resource.name` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If `Name` log field value is equal to `DisplayName`, then `Value` log field is mapped to `target.resource.name` UDM field. Else, the `Value` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
SessionID	`network.session_id`

RemovedSearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedSearchReport" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

Get-PrivacyManagementPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-PrivacyManagementPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`

Set-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`target.process.command_line`

SearchTrialOffer

The following table lists the log fields and corresponding UDM mappings for the operation "SearchTrialOffer" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchTIKustoClusterInformation

The following table lists the log fields and corresponding UDM mappings for the operation "SearchTIKustoClusterInformation" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchMtpRoleInfo

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMtpRoleInfo" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchMailflowForwardingData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMailflowForwardingData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchDataInsightsSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "SearchDataInsightsSubscription" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchCustomerInsight

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCustomerInsight" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchConnectorReportData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchConnectorReportData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchAlertAggregate

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertAggregate" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchAlert

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlert" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Enable-AddressListPaging

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-AddressListPaging" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Install-AdminAuditLogConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-AdminAuditLogConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

AccessedAggregates

The following table lists the log fields and corresponding UDM mappings for the operation "AccessedAggregates" and workload "Mip":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
DataType	`security_result.description`
version	`metadata.product_version`

AccessedSiteList

The following table lists the log fields and corresponding UDM mappings for the operation "AccessedSiteList" and workload "Mip":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
DataType	`security_result.description`
version	`metadata.product_version`

Install-DataClassificationConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-DataClassificationConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Set-UnifiedGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-UnifiedGroup" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. if ResultStatus is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
SessionId	`network.session_id`

ApplicableAdaptivePolicyChange

The following table lists the log fields and corresponding UDM mappings for the operation "ApplicableAdaptivePolicyChange" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	security_result.detection_fields.key/value. target.resource.product_object_id if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value. if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id
ObjectType	`security_result.summary`

Get-AppRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AppRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{:target_resource_product_object_id}\ } }

New-AppRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-AppRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.resource.name target.resource.product_object_id Extract Policy and Name using grok Name is mapped to target.resource.name Policy is mapped to target.resource.product_object_id
StartTime	`target.resource.attribute.creation_time`

New-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
StartTime	`target.resource.attribute.creation_time`

Set-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
StartTime	`target.resource.attribute.creation_time`

Install-DefaultSharingPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Install-DefaultSharingPolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

Install-ResourceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-ResourceConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

New-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "New-Mailbox" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`

Add-MailboxFolderPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Add-MailboxFolderPermission" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.resource.name` `target.user.user_display_name` `target.user.attribute.permissions.name` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Identity`, then the `Value` log field is mapped to the `target.resource.name` UDM field. Else, if the `Name` log field value is equal to `User`, then the `Value` log field is mapped to the `target.user.user_display_name` UDM field. Else, if the `Name` log field value is equal to `AccessRights`, then the `Value` log field is mapped to the `target.user.attribute.permissions.name` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.

New-LabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-LabelPolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to ACCESS_POLICY
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

New-Label

The following table lists the log fields and corresponding UDM mappings for the operation "New-Label" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.resource.name
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

Get-ActivityAlert

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ActivityAlert" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-ProtectionAlert

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ProtectionAlert" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

SearchComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "SearchComplianceCase" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Remove-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Remove-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource_resource_type is set to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Remove-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource_resource_type is set to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

New-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Enable-ComplianceTagStorage

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-ComplianceTagStorage" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-ComplianceRetentionEventType

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceRetentionEventType" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

AggregateActivityData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateActivityData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Set-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-FilePlanPropertyStructure

The following table lists the log fields and corresponding UDM mappings for the operation "Get-FilePlanPropertyStructure" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

New-ComplianceRetentionEventType

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceRetentionEventType" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is mapped to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	target.process.command_line target.resource.name target_resource_name is mapped to target.resource.name
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-DlpSensitiveInformationTypeRulePackage

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpSensitiveInformationTypeRulePackage" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-ComplianceRetentionEvent

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceRetentionEvent" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-QuarantineMessage

The following table lists the log fields and corresponding UDM mappings for the operation "Get-QuarantineMessage" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

AggregateThreatProfileDetails

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateThreatProfileDetails" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Get-DlpDetectionsReport

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpDetectionsReport" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
Parameters	`target.process.command_line`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Add-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-RoleGroupMember" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`

Update-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-RoleGroupMember" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientVersion	`metadata.product_version`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`

New-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "New-RoleGroup" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`

Provision-ComplianceMailboxFolder

The following table lists the log fields and corresponding UDM mappings for the operation "Provision-ComplianceMailboxFolder" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientVersion	`metadata.product_version`
version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`target.resource.product_object_id` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `FolderName`, then the `Value` log field is mapped to the `target.resource_product_object_id` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.

Remove-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-Mailbox" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientVersion	`metadata.product_version`
version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`target.resource.name` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Identity`, then the `Value` log field is mapped to the `target.resource.name` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.

New-QuarantinePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-QuarantinePolicy" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
ClientVersion	`metadata.product_version`
version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`target.resource.name` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Identity`, then the `Value` log field is mapped to the `target.resource.name` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
SessionId	`network.session_id`

Get-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RoleGroup" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

SearchLabelAnalyticsActivityData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchLabelAnalyticsActivityData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Get-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

SearchSecurityRedirection

The following table lists the log fields and corresponding UDM mappings for the operation "SearchSecurityRedirection" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Get-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

HoldViewed

The following table lists the log fields and corresponding UDM mappings for the operation "HoldViewed" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.category_details`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

Get-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Get-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RoleGroupMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-ManagementRole

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ManagementRole" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Set-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RoleGroup" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.group.group_display_name target.process.command_line Extract DisplayName using grok Name is mapped totarget.group.group_display_name
Version	`metadata.product_version`
ResultCountSecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
ResultCountSecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-SecurityPrincipal

The following table lists the log fields and corresponding UDM mappings for the operation "Get-SecurityPrincipal" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

ViewedSearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "ViewedSearchReport" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	`metadata.product_version`
Case	`metadata.description`
ExchangeLocations	`security_result.summary`
ExtendedProperties	`target.resource.product_object_id` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `CaseId`, then the `Value` log field value is mapped to the `target.resource.product_object_id` UDM field. Else, if the `Name` log field value is equal to `SearchIds`, then the `Value` log field value is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ObjectType	`security_result.summary`
PublicFolderLocations	`security_result.category_details`
Query	`security_result.description`
SharepointLocations	`security_result.category_details`

Get-AdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AdaptiveScope" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

New-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to ACCESS_POLICY
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

New-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Set-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-RegulatoryComplianceUI

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RegulatoryComplianceUI" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

New-AdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "New-AdaptiveScope" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Enable-AdaptiveScopeStorage

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-AdaptiveScopeStorage" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

SearchCustomTag

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCustomTag" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Set-RegulatoryComplianceUI

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RegulatoryComplianceUI" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	`target.process.command_line`
Version	`metadata.product_version`

RemoveRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} The name and value for the parameters that were used with the corresponding cmdlet.
Version	`metadata.product_version`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	`security_result.summary`

NewAdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "NewAdaptiveScope" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Parameters	principal.process.command_line The name and value for the parameters that were used with the corresponding cmdlet. If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	`metadata.product_version`
ObjectType	`security_result.summary`
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

CommentCreated

The following table lists the log fields and corresponding UDM mappings for the operation "CommentCreated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SourceFileExtension	`target.file.mime_type`
SiteUrl	`network.http.referral_url`
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
CommentId	`about.labels.key/value` (deprecated)
CommentId	`additional.fields.key` and `additional.fields.value.string_value`

DeviceAccessPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "DeviceAccessPolicyChanged" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`metadata.product_version`
CorrelationId	`security_result.detection_fields.key/value.`
ModifiedProperties	`target.labels.key/value` (deprecated)
ModifiedProperties	`additional.fields.key` and `additional.fields.value.struct_value.fields`

HeartBeat

The following table lists the log fields and corresponding UDM mappings for the operation "HeartBeat" and workload "Aip":

Log field UDM mapping

metadata.event_type is mapped to USER_RESOURCE_CREATION

Common

target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

Version metadata.product_version

MessageCreation

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreation" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
MessageID	`target.resource.product_object_id`

ThreadViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ThreadViewed" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
ThreadID	`about.labels.key/value` (deprecated)
ThreadID	`additional.fields.key` and `additional.fields.value.string_value`

StreamEditAdminGlobalRoleMembers

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditAdminGlobalRoleMembers" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeGetTextTrack

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGetTextTrack" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeChannelView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeChannelView" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeVideoMakePublic

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoMakePublic" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

StreamInvokeGroupView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGroupView" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

Set-CsOnlineDirectoryTenant

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CsOnlineDirectoryTenant" and workload "SkypeForBusiness":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	`metadata.product_version`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
SkypeForBusinessEventType	`about.labels.key/value` (deprecated)
SkypeForBusinessEventType	`additional.fields.key` and `additional.fields.value.string_value`
TenantName	`target.resource.product_object_id`
Version	`metadata.product_version`

Set-CsHostedVoicemailPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CsHostedVoicemailPolicy" and workload "SkypeForBusiness":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	`metadata.product_version`
Parameters	`target.administrative_domain` `target.url` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Organization`, then the `Value` log field is mapped to the `target.administrative_domain` UDM field. Else, if the `Name` log field value is equal to `Destination`, then the `Value` log field is mapped to the `target.url` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated) and `additional.field.key/value.string_value` UDM fields.
SkypeForBusinessEventType	`about.labels.key/value` (deprecated)
SkypeForBusinessEventType	`additional.fields.key` and `additional.fields.value.string_value`
TenantName	`target.resource.product_object_id`
Version	`metadata.product_version`

Get-CSSimpleUrlConfiguration

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CSSimpleUrlConfiguration" and workload "SkypeForBusiness":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	`metadata.product_version`
Parameters	`target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is `Organization`, then the `Value` log field is mapped to the `target.administrative_domain` UDM field. Else, the `Value` log field is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
SkypeForBusinessEventType	`about.labels.key/value` (deprecated)
SkypeForBusinessEventType	`additional.fields.key` and `additional.fields.value.string_value`
TenantName	`target.resource.product_object_id`
Version	`metadata.product_version`

New-ExchangeAssistanceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "New-ExchangeAssistanceConfig" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`

New-App

The following table lists the log fields and corresponding UDM mappings for the operation "New-App" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`target.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
SessionId	`network.session_id`

PublishToWebReport

The following table lists the log fields and corresponding UDM mappings for the operation "PublishToWebReport" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
ReportName	`target.resource.name`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.attribute.labels.key/value`
ReportId	`target.resource.product_object_id`
ReportType	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
DistributionMethod	`about.labels.key/value` (deprecated)
DistributionMethod	`additional.fields.key` and `additional.fields.value.string_value`

UpdateGateway

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateGateway" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
WorkSpaceName	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
GatewayId	`target.resource.product_object_id`

ShareDataset

The following table lists the log fields and corresponding UDM mappings for the operation "ShareDataset" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
ArtifactId	`target.resource.product_object_id`
ArtifactName	`target.resource.name`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
SharingAction	`about.labels.key/value` (deprecated)
SharingAction	`additional.fields.key` and `additional.fields.value.string_value`

GetRefreshablesAsAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "GetRefreshablesAsAdmin" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`

CreateTagJob

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTagJob" and workload "Compliance":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
CaseID	`target.resource.product_object_id`
CaseName	`target.resource.name`
EndTime	`target.resource.attribute.last_update_time`
ExtendedProperties	`target.resource.attribute.labels.key/value`
StartTime	`target.resource.attribute.creation_time`

Add delegated permission grant

The following table lists the log fields and corresponding UDM mappings for the operation Add delegated permission grant and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`target.resource.product_object_id` `target.resource.name` `security_result.summary` If `Name` is `ServicePrincipal.ObjectId` then `NewValue` is mapped to `target.resource.product_object_id` If `Name` is `ServicePrincipal.DisplayName` then `NewValue` is mapped to `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `DelegatedPermissionGrant.Scope` then `NewValue` and `OldValue` is mapped to `target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.uset.userid` or `target.user.email_addresses`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add app role assignment to service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment to service principal" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summary If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Update to application

The following table lists the log fields and corresponding UDM mappings for the operation "Update to application" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	security_result.summary If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Update application – Certificates and secrets management

The following table lists the log fields and corresponding UDM mappings for the operation Update application – Certificates and secrets management and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT` if `ObjectId` has unique field in the log then and then only it will be mapped.
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `RequiredResourceAccess` then `New Value` and `Old Value` is mapped with `target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add owner to application

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to application" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Application.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.labels.key/value` (deprecated)
Target	`additional.fields.key` and `additional.fields.value.string_value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add to application

The following table lists the log fields and corresponding UDM mappings for the operation "Add to application" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add device configuration

The following table lists the log fields and corresponding UDM mappings for the operation "Add device configuration" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add unverified domain

The following table lists the log fields and corresponding UDM mappings for the operation "Add unverified domain" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.name security_result.summary If Name is Name then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add policy

The following table lists the log fields and corresponding UDM mappings for the operation "Add policy" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

CreateResponse

The following table lists the log fields and corresponding UDM mappings for the operation "CreateResponse" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

EditForm

The following table lists the log fields and corresponding UDM mappings for the operation "EditForm" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

SubmitResponse

The following table lists the log fields and corresponding UDM mappings for the operation "SubmitResponse" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

ViewResponses

The following table lists the log fields and corresponding UDM mappings for the operation "ViewResponses" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

ViewRuntimeForm

The following table lists the log fields and corresponding UDM mappings for the operation "ViewRuntimeForm" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

DeleteFlow

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteFlow" and workload "MicrosoftForms":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
FormsUserTypes	`target.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

ListViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ListViewed" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
TemplateTypeId	`about.labels.key/value` (deprecated)
TemplateTypeId	`additional.fields.key` and `additional.fields.value.string_value`

ListColumnUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListColumnUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

ListContentTypeUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListContentTypeUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

ListItemDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemDeleted" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

ListUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateTypeId	`about.labels.key/value` (deprecated)
TemplateTypeId	`additional.fields.key` and `additional.fields.value.string_value`
ApplicationDisplayName	`target.application`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`

ListItemCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemCreated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateTypeId	`about.labels.key/value` (deprecated)
TemplateTypeId	`additional.fields.key` and `additional.fields.value.string_value`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`

ListColumnCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ListColumnCreated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
TemplateTypeId	`about.labels.key/value` (deprecated)
TemplateTypeId	`additional.fields.key` and `additional.fields.value.string_value`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`

SiteContentTypeUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteContentTypeUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

ListItemViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemViewed" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListItemUniqueId	`principal.asset_id`

ListItemUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemUpdated" and workload "SharePoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value` (deprecated)
SourceName	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
Version	`medata.product_version`
CorrelationId	`security_result.detection_fields.key/value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`
target.file.size	`target.labels.key/value` (deprecated)
target.file.size	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListItemUniqueId	`principal.asset_id`

FileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileType	`target.resource.attribute.labels.key/value`
PreviousFileName	`src.file.full_path`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`

UpdatePowerApp

The following table lists the log fields and corresponding UDM mappings for the operation "UpdatePowerApp" and workload "PowerApps":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
Id	`metadata.product_log_id`

SubscribedToMessages

The following table lists the log fields and corresponding UDM mappings for the operation "SubscribedToMessages" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
SubscriptionId	`target.resource.attribute.labels.key/value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MessageCreatedNotification

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreatedNotification" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageId	`target.resource.product_object_id`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
MessageVersion	`target.resource.attribute.labels.key/value`
SubscriptionId	`target.resource.attribute.labels.key/value`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MessageUpdatedNotification

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdatedNotification" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageId	`target.resource.product_object_id`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
MessageVersion	`target.resource.attribute.labels.key/value`
SubscriptionId	`target.resource.attribute.labels.key/value`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MessageCreatedHasLink

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreatedHasLink" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
MessageId	`target.resource.product_object_id`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
SubscriptionId	`target.resource.attribute.labels.key/value`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
MessageVersion	`target.resource.attribute.labels.key/value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MessagesListed

The following table lists the log fields and corresponding UDM mappings for the operation "MessagesListed" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
ChannelGuid	`target.resource.product_object_id`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`

PerformedCardAction

The following table lists the log fields and corresponding UDM mappings for the operation "PerformedCardAction" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	`target.labels.key/value` (deprecated)
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnName	`target.labels.key/value` (deprecated)
AddOnName	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`target.labels.key/value` (deprecated)
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
ChannelGuid	`target.resource.product_object_id`
ChannelName	`target.resource.name`
ChannelType	`target.labels.key/value` (deprecated)
ChannelType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	`target.group.group_display_name`
Version	`metadata.product_version`

MessageEditedHasLink

The following table lists the log fields and corresponding UDM mappings for the operation "MessageEditedHasLink" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
MessageId	`target.resource.product_object_id`
MessageURLs	`target.resource.attribute.labels.key/value`
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
SubscriptionId	`target.resource.attribute.labels.key/value`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
MessageVersion	`target.resource.attribute.labels.key/value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

MeetingParticipantDetail

The following table lists the log fields and corresponding UDM mappings for the operation "MeetingParticipantDetail" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Attendees	about.resource.product_object_id about.user.product_object_id about.user.attribute.roles.name OrganizationId is mapped to about.resource.product_object_id Role is mapped to about.user.attribute.roles.name UserObjectId is set to about.user.product_object_id
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
JoinTime	`target.resource.attribute.creation_time`
LeaveTime	`target.resource.attribute.last_update_time`
MeetingDetailId	`target.resource.product_object_id`
Version	`metadata.product_version`

MeetingDetail

The following table lists the log fields and corresponding UDM mappings for the operation "MeetingDetail" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
StartTime	`target.resource.attribute.creation_time`
EndTime	`target.resource.attribute.last_update_time`
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
MeetingURL	`target.url`
MessageId	`target.resource.product_object_id`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
Modalities	`security_result.summary`
Organizer	`principal.user.product_object_id`
Version	`metadata.product_version`

MessageUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdated" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ExtraProperties	`additional.fields.key` and `additional.fields.value.string_value`
MessageVersion	`target.resource.attribute.labels.key/value`
MessageId	`target.resource.product_object_id`
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

AggregateTransportQueueData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateTransportQueueData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AuthorizeCustomerInsight

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeCustomerInsight" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AuthorizeConnectorReportData

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeConnectorReportData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchAlertOverride

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertOverride" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AuthorizeMailflowForwardingData

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeMailflowForwardingData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchDomainTrafficStatus

The following table lists the log fields and corresponding UDM mappings for the operation "SearchDomainTrafficStatus" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchAlertActivity

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertActivity" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AggregateMailmetadata

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateMailmetadata" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

InsightGenerated

The following table lists the log fields and corresponding UDM mappings for the operation "InsightGenerated" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Category	`security_result.category_details`
Description	`security_result.description`
InsightId	`target.resource.product_object_id`
Name	`target.resource.name`
Version	`metadata.product_version`

UserSubmission

The following table lists the log fields and corresponding UDM mappings for the operation "UserSubmission" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SCAN_UNCATEGORIZED security_result.category is MAIL_SPAM
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
InternetMessageId	`network.email.mail_id`
KesMailId	`additional.fields.key` and `additional.fields.value.string_value`
ExtendedProperties	security_result.rule_name security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details
P1SenderDomain	`principal.administrative_domain`
Recipients	`network.email.to`
SenderIP	`principal.ip`
Subject	`network.email.subject`
P2Sender	`network.email.from`
SubmissionState	`security_result.summary`
P1Sender	`principal.user.email_addresses`
Version	`metadata.product_version`

SaveRoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "SaveRoleGroupMember" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AggregateCampaignIntelligenceData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateCampaignIntelligenceData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchEmailTimelineEvents

The following table lists the log fields and corresponding UDM mappings for the operation "SearchEmailTimelineEvents" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

SearchAlertStory

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertStory" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AggregateThreatDetailsBulk

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateThreatDetailsBulk" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

Get-User

The following table lists the log fields and corresponding UDM mappings for the operation "Get-User" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	`principal.application`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

Get-DlpComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpComplianceRule" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	`principal.application`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`

AnalyzedByExternalApplication

The following table lists the log fields and corresponding UDM mappings for the operation "AnalyzedByExternalApplication" and workload "Power BI":

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.name`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.attribute.labels.key/value`
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

New-MigrationBatch

The following table lists the log fields and corresponding UDM mappings for the operation "New-MigrationBatch" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.resource.name target.administrative_domain target.resource.attribute.key/value If Name is Name then Value is mapped to target.resource.name if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain If Name is AutoStart then Value is mapped to target.resource.attribute.key/value If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value
SessionId	`network.session_id`

UserSubmissionTriage

The following table lists the log fields and corresponding UDM mappings for the operation "UserSubmissionTriage" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to SCAN_UNCATEGORIZED security_result.category is set to MAIL_SPAM
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	`about.labels.key/value` (deprecated)
Parameters	`additional.fields.key` and `additional.fields.value.string_value`
ClientApplication	`principal.application`
Version	`metadata.product_version`
ExtendedProperties	security_result.rule_name security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details
GradingResult	`security_result.category_details`
InternetMessageId	`network.email.mail_id`
KesMailId	`additional.fields.key` and `additional.fields.value.string_value`
P1Sender	`principal.user.email_addresses`
P1SenderDomain	`principal.administrative_domain`
P2Sender	`network.email.from`
Recipients	`network.email.to`
SenderIP	`principal.ip`
Subject	`network.email.subject`
SubmissionState	`security_result.summary`

FileArchived

The following table lists the log fields and corresponding UDM mappings for the operation "FileArchived" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

FileCreatedOnNetworkShare

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreatedOnNetworkShare" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATION
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

FileCreatedOnRemovableMedia

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreatedOnRemovableMedia" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATION
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

SlimFilePrinted

The following table lists the log fields and corresponding UDM mappings for the operation "SlimFilePrinted" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE target.asset.type is PRINTER
Application	`target.application`
DeviceName	`target.hostname`
FileType	`target.resource.attribute.labels.key/value`
TargetPrinterName	`target.asset.hostname`
Version	`metadata.product_version`

FilePrinted

The following table lists the log fields and corresponding UDM mappings for the operation "FilePrinted" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE target.asset.type is PRINTER
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetPrinterName	`target.asset.hostname`
Version	`metadata.product_version`
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
PreviousFileName	`src.file.full_path`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

ArchiveCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ArchiveCreated" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

FileDownloadedFromBrowser

The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloadedFromBrowser" and workload "Endpoint":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Application	`target.application`
DestinationLocationType	`target.labels.key/value` (deprecated)
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetFilePath	`target.file.full_path`
Version	`metadata.product_version`

Create application password for user

The following table lists the log fields and corresponding UDM mappings for the operation "Create application password for user" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

SearchNdrDetailData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchNdrDetailData" and workload "SecurityComplianceCenter":

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	`target.resource.attribute.creation_time`
ClientRequestId	`principal.labels.key/value` (deprecated)
ClientRequestId	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	`principal.application`
Version	`metadata.product_version`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DatabaseType	`target.resource.attribute.labels.key/value`
DataType	`target.labels.key/value` (deprecated)
DataType	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

MessageUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdated" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	`security_result.description`
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Access

The following table lists the log fields and corresponding UDM mappings for the operation "Access" and workload "Aip":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is set to target.file.full_path
Common	target.resource.product_object_id target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version
DataState	`security_result.summary`
Version	`metadata.product_version`

Discover

The following table lists the log fields and corresponding UDM mappings for the operation "Discover" and workload "Aip":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is set to target.file.full_path
Common	target.resource.product_object_id target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version
DataState	`security_result.summary`
Version	`metadata.product_version`

TIUrlClickData

The following table lists the log fields and corresponding UDM mappings for the operation "TIUrlClickData" and workload "ThreatIntelligence":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	`target.application`
AppVersion	`metadata.product_version`
EventDeepLink	`metadata.url_back_to_product`
SourceId	AppName is Mail then SourceId is mapped to network.email.id
Url	`target.url`
UserIp	`principal.ip`
Version	`metadata.product_version`
UrlClickAction	`security_result.detection_fields.key/value`

Device no longer manged

The following table lists the log fields and corresponding UDM mappings for the operation "Device no longer manged" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is set to DEVICE
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.asset.product_object_id target.platform If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

AirInvestigationData

The following table lists the log fields and corresponding UDM mappings for the operation "AirInvestigationData" and workload "AirInvestigation":

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
LastUpdateTimeUtc	`target.resource.attribute.last_update_time`
Status	`security_result.summary`
InvestigationId	`target.resource.product_object_id`
InvestigationType	`target.resource.attribute.labels.key/value`
Data	security_result.description security_result.category_details network.email.to network.email.from network.email.mail_id network.email.subject network.direction principal.ip principal.administrative_domain principal.user.email_addresses Data.Description is mapped to security_result.description Data.Category is mapped to security_result.category_details Data.Entities.1.Recipient is mapped to network.email.to Data.Entities.1.Sender is mapped to network.email.from Data.Entities.1.InternetMessageId is mapped to network.email.mail_id Data.Entities.1.Subject is mapped to network.email.subject Data.Entities.1.AntispamDirection is mapped to network.direction Data.Entities.1.SenderIP is mapped to principal.ip Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain Data.Entities.1.P1Sender is mapped to principal.user.email_addresses
InvestigationName	`target.resource.name`
StartTimeUtc	`target.resource.attribute.creation_time`
Version	`metadata.product_versionn`
DeepLinkUrl	`metadata.url_back_to_product`

Set-MailboxJunkEmailConfiguration

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailboxJunkEmailConfiguration" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
OriginatingServer	`principal.hostname`
OrganizationName	`target.administrative_domain`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
Parameters	target.user.email_addresses If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated)
SessionId	`network.session_id`
Version	`metadata.product_version`

New-DistributionGroup

The following table lists the log fields and corresponding UDM mappings for the operation "New-DistributionGroup" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Member then Value is mapped to security_result.description else target.group.attribute.labels.key/value
SessionId	`network.session_id`

Add-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-DistributionGroupMember" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid else target.group.attribute.labels.key/value
SessionId	`network.session_id`

Remove-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-InboxRule" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.rule_labels.key/value`
SessionId	`network.session_id`

Enable-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-Mailbox" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value
SessionId	`network.session_id`

Import

The following table lists the log fields and corresponding UDM mappings for the operation "Import" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.name`
WorkspaceId	`target.resource.product_object_id`
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
ImportSource	`about.labels.key/value` (deprecated)
ImportSource	`additional.fields.key` and `additional.fields.value.string_value`
ImportType	`target.file.mime_type`
ImportDisplayName	`target.file.full_path`

Device no longer compliant

The following table lists the log fields and corresponding UDM mappings for the operation "Device no longer compliant" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to DEVICE
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.platform target.resource.product_object_id If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Enable account

The following table lists the log fields and corresponding UDM mappings for the operation Enable account and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`target.user.userid or target.user.email_addresses` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add service principal credentials

The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal credentials" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Set-SyncUser

The following table lists the log fields and corresponding UDM mappings for the operation "Set-SyncUser" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid
SessionId	`network.session_id`

MessageSent

The following table lists the log fields and corresponding UDM mappings for the operation "MessageSent" and workload "MicrosoftTeams":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageSizeInBytes	`target.resource.attribute.labels.key/value`
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
OperationScope	`about.labels.key/value` (deprecated)
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	`target.group.group_display_name`
AADGroupId	`target.labels.key/value` (deprecated)
AADGroupId	`additional.fields.key` and `additional.fields.value.string_value`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
MessageId	`target.resource.product_object_id`
Version	`metadata.product_version`
MessageVersion	`target.resource.attribute.labels.key/value`

Remove service principal credentials

The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal credentials" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `Included Updated Properties`, then the `NewValue` log field value is mapped to the `security_result.summary` UDM field. Else, the `NewValue` log field value is mapped to the `target.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.struct_value.fields` UDM fields.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Remove-MoveRequest

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MoveRequest" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value

StreamInvokeGetTranscript

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGetTranscript" and workload "MicrosoftStream":

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	`principal.labels.key/value` (deprecated)
ClientApplicationId	`additional.fields.key` and `additional.fields.value.string_value`
EntityPath	`metadata.url.back_to_product`
OperationDetails	`metadata.description`
ResourceTitle	`target.resource.name`
ResourceUrl	`target.url`
Version	`metadata.product_version`

Remove owner from group

The following table lists the log fields and corresponding UDM mappings for the operation "Remove owner from group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Add app role assignment to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment to group" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	target.resource.product_object_id target.resource.name target.group.group_display_name If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

Disable-MailUser

The following table lists the log fields and corresponding UDM mappings for the operation "Disable-MailUser" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is True Action is set to BLOCK
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

New-FolderMoveRequest

The following table lists the log fields and corresponding UDM mappings for the operation "New-FolderMoveRequest" and workload "Exchange":

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	`metadata.product_version`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
ClientAppId	`target.labels.key/value` (deprecated)
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	If Name is Name then Value is mapped to target.resource.name If Name is DomainController then Value is mapped to target.administrative_domain If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value

Add owner to policy

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to policy" and workload "AzureActiveDirectory":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id If Name is Policy.DisplayName then NewValue is mapped to target.resource.name
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
ActorIpAddress	principal.ip and principal.port
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	`metadata.product_version`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`

EditContentProviderProperties

The following table lists the log fields and corresponding UDM mappings for the operation "EditContentProviderProperties" and workload "PowerBI":

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
DashboardName	`target.resource.attribute.labels.key/value`
DataClassification	`target.labels.key/value` (deprecated)
DataClassification	`additional.fields.key` and `additional.fields.value.string_value`
DatasetName	`target.resource.attribute.labels.key/value`
OrgAppPermission	We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	`target.resource.attribute.labels.key/value`
SharingInformation	RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	`target.resource.name`
WorkspaceId	`target.resource.product_object_id`
SwitchState	`about.labels.key/value` (deprecated)
SwitchState	`additional.fields.key` and `additional.fields.value.string_value`
ContentProviderCertificationStage	`security_result.summary`
AppId	`target.labels.key/value` (deprecated)
AppId	`additional.fields.key` and `additional.fields.value.string_value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

ReportingAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "ReportingAccessed" and workload "Project":

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
CorrelationId	`security_result.detection_fields.key/value`
Entity	`metadata.product_name`
Version	`metadata.product_version`
Action	`security_result.description`
OnBehalfOfResId	`about.labels.key/value` (deprecated)
OnBehalfOfResId	`additional.fields.key` and `additional.fields.value.string_value`

GroupAccessFailure

The following table lists the log fields and corresponding UDM mappings for the operation "GroupAccessFailure" and workload "Yammer":

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
DataExportType	`target.resource.attribute.labels.key/value`
FileId	`target.resource.product_object_id`
FileName	`target.file.full_path`
GroupName	`target.group.group_display_name`
IsSoftDelete	security_result.description is set to IsSoftDelete - {IsSoftDelete}
MessageId	`target.resource.product_object_id`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`
TargetUserId	`target.user.email_addresses`
TargetYammerUserId	`target.labels.key/value` (deprecated)
TargetYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
VersionId	`about.labels.key/value` (deprecated)
VersionId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

FileSensitivityLabelChanged

The following table lists the log fields and corresponding UDM mappings for the operation FileSensitivityLabelChanged and workload SharePoint or OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED` `ObjectId` is mapped to `target.file.full_path`
AppAccessContext.CorrelationId	`security_result.detection_fields.key/value`
CorrelationId	`security_result.detection_fields.key/value`
DestinationFileExtension	`target.file.mime_type`
DestinationFileName	`target.file.full_path` is set to `{DestinationRelativeUrl}/{DestinationFileName}`
DestinationRelativeUrl	`target.file.full_path` is set to `{DestinationRelativeUrl}/{DestinationFileName}`
DestinationLabel	`target.labels.key/value` (deprecated)
DestinationLabel	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
HighPriorityMediaProcessing	`about.labels.key/value` (deprecated)
HighPriorityMediaProcessing	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`about.labels.key/value` (deprecated)
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
SensitivityLabelEventData.ActionSource	`principal.labels.key/value` (deprecated)
SensitivityLabelEventData.ActionSource	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.LabelEventType	`target.labels.key/value` (deprecated)
SensitivityLabelEventData.LabelEventType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.OldSensitivityLabelId	`target.resource.product_object_id`
SensitivityLabelEventData.OldSensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	`src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}`
SourceRelativeUrl	`src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}`
SourceLabel	`src.labels.key/value` (deprecated)
SourceLabel	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

FileRead

The following table lists the log fields and corresponding UDM mappings for the operation FileRead and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_READ` `ObjectId` is mapped to `target.url`
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels.key/value` (deprecated)
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
PolicyMatchInfo	`target.resource.product_object_id` `security_result.summary` `security_result.rule_id` `security_result.rule_name` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name`
RMSEncrypted	`security_result.detection_fields.key/value`
SensitiveInfoTypeData	`security_result.detection_fields.key/value` `security_result.confidence_details`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`

MessageReadReceiptReceived

The following table lists the log fields and corresponding UDM mappings for the operation MessageReadReceiptReceived and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`
ChatThreadId	`target.user.group_identifiers` `target.group.product_object_id`
CommunicationType	`about.labels.key/value` (deprecated)
CommunicationType	`additional.fields.key` and `additional.fields.value.string_value`
MessageId	`target.resource.product_object_id`
MessageVersion	`target.resource.attribute.labels.key/value`
MessageVisibilityTime	`target.resource.attribute.labels.key/value`
ParticipantInfo.HasForeignTenantUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasOtherGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasUnauthenticatedUsers	`security_result.detection_fields.key/value`
ParticipantInfo.ParticipatingTenantIds	`security_result.detection_fields.key/value`

Search

The following table lists the log fields and corresponding UDM mappings for the operation Search and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UNCATEGORIZED`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
DataType	`security_result.description`

TaskDeleted

The following table lists the log fields and corresponding UDM mappings for the operation TaskDeleted and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_DELETION` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value` (deprecated)
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value` (deprecated)
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`target.labels.key/value` (deprecated)
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

TaskUpdated

The following table lists the log fields and corresponding UDM mappings for the operation TaskUpdated and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value` (deprecated)
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value` (deprecated)
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`target.labels.key/value` (deprecated)
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

TaskCreation

The following table lists the log fields and corresponding UDM mappings for the operation TaskCreation and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value` (deprecated)
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value` (deprecated)
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`target.labels.key/value` (deprecated)
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

SecurityGroupModified

The following table lists the log fields and corresponding UDM mappings for the operation SecurityGroupModified and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `GROUP_MODIFICATION`
CorrelationId	`security_result.detection_fields.key/value`
Entity	`metadata.product_name`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AppAccessContext.UniqueTokenId	`target.labels.key/value` (deprecated)
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
AppAccessContext.CorrelationId	`security_result.detection_fields.key/value`

LaunchPowerApp

The following table lists the log fields and corresponding UDM mappings for the operation LaunchPowerApp and workload PowerApps:

Log field	UDM mapping
	`metadata.event_type` is mapped to `GENERIC_EVENT`
AppName	`target.labels.key/value` (deprecated)
AppName	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

DeleteDatasetRows

The following table lists the log fields and corresponding UDM mappings for the operation DeleteDatasetRows and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_DELETION`. If `ResultStatus` is TRUE then `Action` is set to `ALLOW` and `security_result.summary` is set to `DataSetRow deletion successful` else `Action` is set to `BLOCK` and `security_result.summary` is set to `DataSetRow deletion failed`.
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
ArtifactId	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
TableName	`target.resource.attribute.labels.key/value`
LastRefreshTime	`about.labels.key/value` (deprecated)
LastRefreshTime	`additional.fields.key` and `additional.fields.value.string_value`
ArtifactKind	`target.resource.attribute.labels.key/value`

New-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation New-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

New-DlpComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation New-DlpComplianceRule and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Get-InsiderRiskPolicy

The following table lists the log fields and corresponding UDM mappings for the operation Get-InsiderRiskPolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Set-HostedContentFilterPolicy

The following table lists the log fields and corresponding UDM mappings for the operation Set-HostedContentFilterPolicy and workload Exchange:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `SETTING`. If `ResultStatus` is TRUE then `Action` is set to `ALLOW` else `Action` is set to `BLOCK`.
ExternalAccess	`about.labels.key/value` (deprecated)
ExternalAccess	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.resource.product_object_id`
Version	`metadata.product_version`
Parameters	`target.resource.attribute.labels.key/value`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`

Enable Strong Authentication.

The following table lists the log fields and corresponding UDM mappings for the operation Enable Strong Authentication. and workload AzureActiveDirectory:

Log field UDM mapping

metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.

ExtendedProperties

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties

security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

ReactedToMessage

The following table lists the log fields and corresponding UDM mappings for the operation ReactedToMessage and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.IssuedAtTime	`target.labels.key/value` (deprecated)
AppAccessContext.IssuedAtTime	`additional.fields.key` and `additional.fields.value.string_value`
AppAccessContext.UniqueTokenId	`target.labels.key/value` (deprecated)
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
ChatThreadId	`target.user.group_identifiers`
ChatThreadId	`target.group.product_object_id`
MessageReactionType	`target.resource.attribute.labels.key/value`
ChatName	`target.group.group_display_name`
MessageId	`target.resource.product_object_id`
ParticipantInfo.HasForeignTenantUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasOtherGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasUnauthenticatedUsers	`security_result.detection_fields.key/value`
ParticipantInfo.ParticipatingTenantIds	`security_result.detection_fields.key/value`

RemovableMediaUnmount

The following table lists the log fields and corresponding UDM mappings for the operation RemovableMediaUnmount and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
MDATPDeviceId	`target.asset.asset_id`
Platform	`target.labels.key/value` (deprecated)
Platform	`additional.fields.key` and `additional.fields.value.string_value`
Scope	`target.labels.key/value` (deprecated)
Scope	`additional.fields.key` and `additional.fields.value.string_value`
RemovableMediaDeviceAttributes.Manufacturer	`target.asset.hardware.manufacturer`
RemovableMediaDeviceAttributes.Model	`target.asset.hardware.model`
RemovableMediaDeviceAttributes.SerialNumber	`target.asset.hardware.serial_number`

FileUploadedToCloud

The following table lists the log fields and corresponding UDM mappings for the operation FileUploadedToCloud and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_SYNC`.
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels.key/value` (deprecated)
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.FullUrl	`target.file.full_path`
EvidenceFile.StorageName	`target.file.names`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
ObjectId	`target.file.full_path`
SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.Confidence	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
TargetPrinterName	`target.asset.hostname`
	`target.asset.type` is set to `PRINTER`
TargetDomain	`target.labels.key/value` (deprecated)
TargetDomain	`additional.fields.key` and `additional.fields.value.string_value`

GenerateDataflowSasToken

The following table lists the log fields and corresponding UDM mappings for the operation GenerateDataflowSasToken and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_CHANGE_PERMISSIONS`.
DataflowAccessTokenRequestParameters.entityName	`principal.labels.key/value` (deprecated)
DataflowAccessTokenRequestParameters.entityName	`additional.fields.key` and `additional.fields.value.string_value`
DataflowAccessTokenRequestParameters.partitionUri	`principal.labels.key/value` (deprecated)
DataflowAccessTokenRequestParameters.partitionUri	`additional.fields.key` and `additional.fields.value.string_value`
DataflowAccessTokenRequestParameters.permissions	`principal.labels.key/value` (deprecated)
DataflowAccessTokenRequestParameters.permissions	`additional.fields.key` and `additional.fields.value.string_value`
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes	`principal.labels.key/value` (deprecated)
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes	`additional.fields.key` and `additional.fields.value.string_value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
IsSuccess	If `IsSuccess` is TRUE then `Action` is set to `ALLOW` else `Action` is set to `BLOCK`.
ItemName	`target.labels.key/value` (deprecated)
ItemName	`additional.fields.key` and `additional.fields.value.string_value`

GenerateScreenshot

The following table lists the log fields and corresponding UDM mappings for the operation GenerateScreenshot and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.

MDCAssessments

The following table lists the log fields and corresponding UDM mappings for the operation MDCAssessments and workload CompliancePostureManagement:

Log field	UDM mapping
	`metadata.event_type` is mapped to `SCAN_UNCATEGORIZED`.
PropertyBag.AssessmentStatusPerInitiative.ArnEventId	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.ArnEventId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.CloudProvider	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.CloudProvider	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.CustomerResourceId	`about.resource.product_object_id`
PropertyBag.AssessmentStatusPerInitiative.EventType	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.EventType	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.ResourceName	`about.resource.name`
PropertyBag.AssessmentStatusPerInitiative.ResourceType	`about.resource.resource_subtype`
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.StatusCode	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusCode	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.SubscriptionId	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SubscriptionId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.AssessmentStatusPerInitiative.SubscriptionName	`about.labels.key/value` (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SubscriptionName	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.DataType	`about.labels.key/value` (deprecated)
PropertyBag.DataType	`additional.fields.key` and `additional.fields.value.string_value`

RemovableMediaMount

The following table lists the log fields and corresponding UDM mappings for the operation RemovableMediaMount and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
MDATPDeviceId	`target.asset.asset_id`
Platform	`target.labels.key/value` (deprecated)
Platform	`additional.fields.key` and `additional.fields.value.string_value`
Scope	`target.labels.key/value` (deprecated)
Scope	`additional.fields.key` and `additional.fields.value.string_value`
RemovableMediaDeviceAttributes.Manufacturer	`target.asset.hardware.manufacturer`
RemovableMediaDeviceAttributes.Model	`target.asset.hardware.model`
RemovableMediaDeviceAttributes.SerialNumber	`target.asset.hardware.serial_number`

SignInEvent

The following table lists the log fields and corresponding UDM mappings for the operation SignInEvent and workload SharePoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
AuthenticationType	`principal.labels.key/value` (deprecated)
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`principal.labels.key/value` (deprecated)
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`principal.labels.key/value` (deprecated)
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`principal.labels.key/value` (deprecated)
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`principal.labels.key/value` (deprecated)
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`

ApprovedRequest

The following table lists the log fields and corresponding UDM mappings for the operation ApprovedRequest and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`.
ItemName	`target.labels.key/value` (deprecated)
ItemName	`additional.fields.key` and `additional.fields.value.string_value`

CreateForm

The following table lists the log fields and corresponding UDM mappings for the operation CreateForm and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.
FormsUserType	`target.labels.key/value` (deprecated)
FormsUserType	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`

ListForms

The following table lists the log fields and corresponding UDM mappings for the operation ListForms and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.

MDCRegulatoryComplianceAssessments

The following table lists the log fields and corresponding UDM mappings for the operation MDCRegulatoryComplianceAssessments and workload CompliancePostureManagement:

Log field	UDM mapping
	`metadata.event_type` is mapped to `SCAN_UNCATEGORIZED`.
PropertyBag.DataType	`about.labels.key/value` (deprecated)
PropertyBag.DataType	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.ArnEventId	`about.labels.key/value` (deprecated)
PropertyBag.Policy.ArnEventId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.Description	`about.labels.key/value` (deprecated)
PropertyBag.Policy.Description	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.DetailsLink	`about.labels.key/value` (deprecated)
PropertyBag.Policy.DetailsLink	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.EventTime	`about.labels.key/value` (deprecated)
PropertyBag.Policy.EventTime	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.EventType	`about.labels.key/value` (deprecated)
PropertyBag.Policy.EventType	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.PolicyInitiativeId	`about.labels.key/value` (deprecated)
PropertyBag.Policy.PolicyInitiativeId	`additional.fields.key` and `additional.fields.value.string_value`
PropertyBag.Policy.PolicyInitiativeName	`about.labels.key/value` (deprecated)
PropertyBag.Policy.PolicyInitiativeName	`additional.fields.key` and `additional.fields.value.string_value`

PreviewForm

The following table lists the log fields and corresponding UDM mappings for the operation PreviewForm and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_ACCESS`.

ViewedApprovalRequest

The following table lists the log fields and corresponding UDM mappings for the operation ViewedApprovalRequest and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_ACCESS`.
ItemName	`target.labels.key/value` (deprecated)
ItemName	`additional.fields.key` and `additional.fields.value.string_value`

ListCreated

The following table lists the log fields and corresponding UDM mappings for the operation ListCreated and workload SharePoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.UniqueTokenId	`target.labels.key/value` (deprecated)
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`

SiteColumnCreated

The following table lists the log fields and corresponding UDM mappings for the operation SiteColumnCreated and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
ObjectId	`target.resource.product_object_id`

ListViewUpdated

The following table lists the log fields and corresponding UDM mappings for the operation ListViewUpdated and workload SharePoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.UniqueTokenId	`target.labels.key/value` (deprecated)
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
AuthenticationType	`principal.labels.key/value` (deprecated)
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`principal.labels.key/value` (deprecated)
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`principal.labels.key/value` (deprecated)
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
CustomizedDoclib	`principal.labels.key/value` (deprecated)
CustomizedDoclib	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`principal.labels.key/value` (deprecated)
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
FromApp	`principal.labels.key/value` (deprecated)
FromApp	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`principal.labels.key/value` (deprecated)
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemCount	`target.labels.key/value` (deprecated)
ItemCount	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseTemplateType	`target.labels.key/value` (deprecated)
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListColor	`target.labels.key/value` (deprecated)
ListColor	`additional.fields.key` and `additional.fields.value.string_value`
ListIcon	`target.labels.key/value` (deprecated)
ListIcon	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value` (deprecated)
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.url`
Platform	`target.labels.key/value` (deprecated)
Platform	`additional.fields.key` and `additional.fields.value.string_value`
RecordType	`security_result.detection_fields.key/value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
Source	`security_result.description`
TemplateTypeId	`about.labels.key/value` (deprecated)
TemplateTypeId	`additional.fields.key` and `additional.fields.value.string_value`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

TeamsUserSignedOut

The following table lists the log fields and corresponding UDM mappings for the operation TeamsUserSignedOut and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_LOGOUT`.
	`extension.auth.auth_type` is mapped to `SSO`.
ChannelGuid	`target.labels.key/value` (deprecated)
ChannelGuid	`additional.fields.key` and `additional.fields.value.string_value`
ChannelName	`target.labels.key/value` (deprecated)
ChannelName	`additional.fields.key` and `additional.fields.value.string_value`
ChatName	`target.group.group_display_name`
ChatThreadId	`target.user.group_identifiers`
DeviceInformation	`principal.labels.key/value` (deprecated)
DeviceInformation	`additional.fields.key` and `additional.fields.value.string_value`
ItemName	`target.labels.key/value` (deprecated)
ItemName	`additional.fields.key` and `additional.fields.value.string_value`
MessageId	`target.labels.key/value` (deprecated)
MessageId	`additional.fields.key` and `additional.fields.value.string_value`
MessageVersion	`target.labels.key/value` (deprecated)
MessageVersion	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
TeamGuid	`target.group.product_object_id`
TeamName	`target.group.group_display_name`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserType	`target.user.attribute.roles`
Version	`metadata.product_version`

GetWorkspaces

The following table lists the log fields and corresponding UDM mappings for the operation GetWorkspaces and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Activity	`about.labels.key/value` (deprecated)
Activity	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`about.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
AggregatedWorkspaceInformation.WorkspaceCount	`target.labels.key/value` (deprecated)
AggregatedWorkspaceInformation.WorkspaceCount	`additional.fields.key` and `additional.fields.value.string_value`
AggregatedWorkspaceInformation.WorkspacesByCapacitySku	`target.labels.key/value` (deprecated)
AggregatedWorkspaceInformation.WorkspacesByCapacitySku	`additional.fields.key` and `additional.fields.value.string_value`
AggregatedWorkspaceInformation.WorkspacesByType	`target.labels.key/value` (deprecated)
AggregatedWorkspaceInformation.WorkspacesByType	`additional.fields.key` and `additional.fields.value.string_value`
IsSuccess	`security_result.action`
UserAgent	`network.http.user_agent`

ConnectFromExternalApplication

The following table lists the log fields and corresponding UDM mappings for the operation ConnectFromExternalApplication and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Activity	`about.labels.key/value` (deprecated)
Activity	`additional.fields.key` and `additional.fields.value.string_value`
CustomData	`about.labels.key/value` (deprecated)
CustomData	`additional.fields.key` and `additional.fields.value.string_value`

TaskListRead

The following table lists the log fields and corresponding UDM mappings for the operation TaskListRead and workload Planner:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
UserKey	`principal.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
TaskList	`target.labels.key/value` (deprecated)
TaskList	`additional.fields.key` and `additional.fields.value.string_value`

PutConnection

The following table lists the log fields and corresponding UDM mappings for the operation PutConnection and workload PowerApps:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AdditionalInfo.actionName	`security_result.detection_fields.key/value`
ResourceId	`target.labels.key/value` (deprecated)
ResourceId	`additional.fields.key` and `additional.fields.value.string_value`
UserKey	`target.label.key/value`
AdditionalInfo.environmentName	`target.labels.key/value` (deprecated)
AdditionalInfo.environmentName	`additional.fields.key` and `additional.fields.value.string_value`

AdminSubmissionTablAllow

The following table lists the log fields and corresponding UDM mappings for the operation AdminSubmissionTablAllow and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `GENERIC_EVENT`.
SubmissionContent	`security_result.detection_fields.key/value`
SubmissionContentType	`security_result.detection_fields.key/value`
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
Recipients	`network.email.to`
SubmissionState	`security_result.summary`
SubmissionId	`security_result.detection_fields.key/value`
ExtendedProperties	`principal.labels.key/value` (deprecated) `about.labels.key/value` (deprecated) If the `Name` log field value is equal to `AdminReviewTime` or `AdminReviewResult`, then the `Value` is mapped to the `principal.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
SubmissionConfidenceLevel	`security_result.detection_fields.key/value`
SubmissionType	`security_result.detection_fields.key/value`
MessageDate	`about.labels.key/value` (deprecated)
MessageDate	`additional.fields.key` and `additional.fields.value.string_value`
P1SenderDomain	`principal.administrative_domain`
UserKey	`target.label.key/value`
P2SenderDomain	`about.administrative_domain`
Subject	`network.email.subject`
Version	`metadata.product_version`

Add contact.

The following table lists the log fields and corresponding UDM mappings for the operation Add contact. and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION`. `target.resource.resource_subtype` is set to `Contact`.
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
IntraSystemId	`target.resource.attribute.labels.key/value`
ActorContextId	`principal.labels.key/value` (deprecated)
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
SupportTicketId	`about.labels.key/value` (deprecated)
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
TargetContextId	`target.labels.key/value` (deprecated)
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
UserKey	`target.label.key/value`
Target	`security_result.detection_fields.key/value`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
ExtendedProperties	`target.resource.attribute.labels.key/value` `about.labels.key/value` (deprecated) `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `about.labels.key/value` (deprecated), `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`target.resource.name` `target.resource.attribute.labels.key/value` `security_result.detection_fields.key/value` `security_result.summary` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` and `OldValue` is mapped to `security_result.detection_field.key/value`. Else if `Name` is `DisplayName` then `NewValue` is mapped to `target.resource.name` and `OldValue` is mapped to `target.resource.attribute.key/value`. Else `target.resource.attribute.labels.key/value`.

WorkspacePortalUrlReceived

The following table lists the log fields and corresponding UDM mappings for the operation WorkspacePortalUrlReceived and workload MicrosoftDefenderForIdentity:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultDescription	`security_result.detection_fields.key.value`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`

PutConnectionPermission

The following table lists the log fields and corresponding UDM mappings for the operation PutConnectionPermission and workload PowerApps:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_PERMISSIONS_CHANGE`. `target.resource.resource_type` is set to `SETTING`.
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
AdditionalInfo.actionName	`security_result.detection_fields.key/value`
ResourceId	`target.resource.attribute.labels.key/value`
UserKey	`target.label.key/value`
AdditionalInfo.environmentName	`target.resource.attribute.labels.key/value`
AdditionalInfo.targetObjectId	`target.resource.product_object_id`

SensitivityLabeledFileOpened

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabeledFileOpened and workload PublicEndpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_OPEN`.
PreviousProtectionType.protectionType	`security_result.detection_fields.key/value`
CurrentProtectionType.protectionType	`security_result.detection_fields.key/value`
DeviceName	`target.hostname`
CurrentProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
CurrentProtectionType.owner	`security_result.about.email_addresses`
TargetLocation	`target.labels.key/value` (deprecated)
TargetLocation	`additional.fields.key` and `additional.fields.value.string_value`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
LabelId	`target.labels.key/value` (deprecated)
LabelId	`additional.fields.key` and `additional.fields.value.string_value`
CurrentProtectionType.templateId	`security_result.detection_fields.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
ContentType	`target.labels.key/value` (deprecated)
ContentType	`additional.fields.key` and `additional.fields.value.string_value`
Platform	`target.platform`
UserSku	`principal.labels.key/value` (deprecated)
UserSku	`additional.fields.key` and `additional.fields.value.string_value`
PreviousProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
ObjectId	`target.url`
PreviousProtectionType.owner	`security_result.about.email_addresses`
Application	`principal.application`
PreviousProtectionType.templateId	`security_result.detection_fields.key/value`

Validate

The following table lists the log fields and corresponding UDM mappings for the operation Validate and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultCount	`target.labels.key/value` (deprecated)
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`security_result.description`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
AadAppId	`target.labels.key/value` (deprecated)
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
RelativeUrl	`target.url`

SensitivityLabeledFileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabeledFileRenamed and workload PublicEndpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_MOVE`.
PreviousProtectionType.protectionType	`security_result.detection_fields.key/value`
CurrentProtectionType.protectionType	`security_result.detection_fields.key/value`
DeviceName	`target.hostname`
CurrentProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
CurrentProtectionType.owner	`security_result.about.email_addresses`
TargetLocation	`target.labels.key/value` (deprecated)
TargetLocation	`additional.fields.key` and `additional.fields.value.string_value`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
LabelId	`target.labels.key/value` (deprecated)
LabelId	`additional.fields.key` and `additional.fields.value.string_value`
CurrentProtectionType.templateId	`security_result.detection_fields.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
ContentType	`target.labels.key/value` (deprecated)
ContentType	`additional.fields.key` and `additional.fields.value.string_value`
Platform	`target.platform`
UserSku	`principal.labels.key/value` (deprecated)
UserSku	`additional.fields.key` and `additional.fields.value.string_value`
PreviousProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
ObjectId	`target.url`
PreviousProtectionType.owner	`security_result.about.email_addresses`
Application	`principal.application`
PreviousProtectionType.templateId	`security_result.detection_fields.key/value`
PreviousTarget	`src.url`

TaskModified

The following table lists the log fields and corresponding UDM mappings for the operation TaskModified and workload Planner:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.type` is set to `TASK`.
PlanId	`target.resource.attribute.labels.key/value`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.resource.product_object_id`

DeleteTile

The following table lists the log fields and corresponding UDM mappings for the operation TaskModified and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_DELETION`.
WorkspaceId	`target.resource.product_object_id`
WorkSpaceName	`target.resource.name`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`principal.labels.key/value` (deprecated)
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
RefreshEnforcementPolicy	`security_result.detection_fields.key/value`
RequestId	`about.labels.key/value` (deprecated)
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
IsSuccess	`security_result.action`
UserAgent	`network.http.user_agent`
ObjectId	`target.resource.attribute.labels.key/value`

QuarantineReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineReleaseMessage and workload Quarantine:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
NetworkMessageId	`security_result.detection_fields.key/value`
ReleaseTo	`security_result.detection_fields.key/value`
RequestType	`security_result.detection_fields.key/value`
RequestSource	`security_result.detection_fields.key/value`

WorkspaceStatusReceived

The following table lists the log fields and corresponding UDM mappings for the operation WorkspaceStatusReceived and workload MicrosoftDefenderForIdentity:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultDescription	`security_result.detection_fields.key/value`

LinkedEntityUpdated

The following table lists the log fields and corresponding UDM mappings for the operation LinkedEntityUpdated and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.resource_type` is set to `TASK`.
ActorAppId	`target.labels.key/value` (deprecated)
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`security_result.detection_fields.key/value` and `target.resource.product_object_id`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value` (deprecated)
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`target.labels.key/value` (deprecated)
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

ViewResponse

The following table lists the log fields and corresponding UDM mappings for the operation ViewResponse and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
FormsUserTypes	`principal.labels.key/value` (deprecated)
FormsUserTypes	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`
FormName	`target.resource.name`
FormId	`target.resource.product_object_id`

PlanListRead

The following table lists the log fields and corresponding UDM mappings for the operation PlanListRead and workload Planner:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_subtype` is set to `Plan`.
PlanList	`target.resource.product_object_id`
ObjectId	`target.resource.attribute.labels.key/value`

O365SyncAdminUserPromotion

The following table lists the log fields and corresponding UDM mappings for the operation O365SyncAdminUserPromotion and workload Yammer:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ActorUserId	`principal.user.email_addresses` or `principal.user.userid`
ActorYammerUserId	`principal.labels.key/value` (deprecated)
ActorYammerUserId	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.labels.key/value` (deprecated)
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`
YammerNetworkId	`principal.labels.key/value` (deprecated)
YammerNetworkId	`additional.fields.key` and `additional.fields.value.string_value`

FileCopiedToClipboard

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToClipboard and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels.key/value` (deprecated)
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.FullUrl	`target.labels.key/value` (deprecated)
EvidenceFile.FullUrl	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.StorageName	`target.labels.key/value` (deprecated)
EvidenceFile.StorageName	`additional.fields.key` and `additional.fields.value.string_value`
FileExtension	`target.file.mime_type`
FileType	`target.resource.attribute.labels.key/value`
FileSizeBytes	`target.file.size`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
ObjectId	`target.file.full_path`
Platform	`target.labels.key/value` (deprecated)
Platform	`additional.fields.key` and `additional.fields.value.string_value`
PolicyMatchInfo	`target.resource.product_object_id` `security_result.summary` `security_result.rule_id` `security_result.rule_name` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name`
SensitiveInfoTypeData	`security_result.detection_fields.key/value` `security_result.confidence_details`
Scope	`target.labels.key/value` (deprecated)
Scope	`additional.fields.key` and `additional.fields.value.string_value`
RMSEncrypted	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
SourceLocationType	`principal.labels.key/value` (deprecated)
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetDomain	`target.domain.name`
TargetFilePath	`target.labels.key/value` (deprecated)
TargetFilePath	`additional.fields.key` and `additional.fields.value.string_value`
OriginatingDomain	`principal.domain.name`

FileTranscriptContentAccessed

The following table lists the log fields and corresponding UDM mappings for the operation FileTranscriptContentAccessed and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_READ`.
AlternateStreamId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`principal.labels.key/value` (deprecated)
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
AppAccessContext.UniqueTokenId	`target.labels.key/value` (deprecated)
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`principal.labels.key/value` (deprecated)
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`principal.labels.key/value` (deprecated)
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`principal.labels.key/value` (deprecated)
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`principal.labels.key/value` (deprecated)
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
HighPriorityMediaProcessing	`about.labels.key/value` (deprecated)
HighPriorityMediaProcessing	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`target.labels.key/value` (deprecated)
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
ObjectId	`target.url`
Platform	`target.labels.key/value` (deprecated)
Platform	`additional.fields.key` and `additional.fields.value.string_value`
Site	`target.labels.key/value` (deprecated)
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path` is mapped to `SourceRelativeUrl`/`SourceFileName`.
SourceRelativeUrl	`target.file.full_path` is mapped to `SourceRelativeUrl`/`SourceFileName`.
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value` (deprecated)
WebId	`additional.fields.key` and `additional.fields.value.string_value`

Set-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Set-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Remove-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_DELETION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Remove-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Remove-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_DELETION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value` (deprecated)
ClientApplication	`additional.fields.key` and `additional.fields.value.string_value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value` (deprecated)
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value` (deprecated)
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
UserServicePlan	`principal.labels.key/value` (deprecated)
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`

Add-MailboxLocation

The following table lists the log fields and corresponding UDM mappings for the operation Add-MailboxLocation and workload Exchange:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
AppId	`target.resource.attribute.labels.key/value`
ClientAppId	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.resource.product_object_id`
OrganizationName	`target.administrative_domain`
OriginatingServer	`principal.hostname`
Parameters	`security_result.detection_fields.key/value`
SessionId	`network.session_id`
Version	`metadata.product_version`
RequestId	`additional.fields.key` and `additional.fields.value.string_value`

Release-QuarantineMessage

The following table lists the log fields and corresponding UDM mappings for the operation Release-QuarantineMessage and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`additional.fields.key` and `additional.fields.value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`additional.fields.key` and `additional.fields.value.string_value`

SensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabelApplied and workload PublicEndpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `GENERIC_EVENT`. `target.resource.resource_type` is set to `SETTING`.
Application	`principal.application`
ContentType	`additional.fields.key` and `additional.fields.value.string_value`
CurrentProtectionType.protectionType	`target.resource.attribute.labels.key/value`
CurrentProtectionType.documentEncrypted	`target.resource.attribute.labels.key/value`
CurrentProtectionType.owner	`target.resource.attribute.labels.key/value`
CurrentProtectionType.templateId	`target.resource.attribute.labels.key/value`
DeviceName	`target.hostname`
EmailInfo.cc	`network.email.cc`
EmailInfo.bcc	`network.email.bcc`
EmailInfo.from	`network.email.from`
EmailInfo.subject	`network.email.subject`
EmailInfo.to	`network.email.to`
Platform	`target.platform`
PreviousProtectionType.protectionType	`target.resource.attribute.labels.key/value`
PreviousProtectionType.documentEncrypted	`target.resource.attribute.labels.key/value`
PreviousProtectionType.owner	`target.resource.attribute.labels.key/value`
PreviousProtectionType.templateId	`target.resource.attribute.labels.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
TargetLocation	`additional.fields.key` and `additional.fields.value.string_value`
UserSku	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.ActionSource	`security_result.detection_fields.key/value`
SensitivityLabelEventData.ActionSourceDetail	`security_result.detection_fields.key/value`
SensitivityLabelEventData.LabelEventType	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`target.resource.product_object_id`

SharingLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkCreated and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION`. `target.resource.resource_subtype` is set to `Link`.
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ObjectId	`target.url`
Permission	`target.resource.attribute.permissions.name`
Platform	`target.platform`
SharingLinkScope	`target.resource.attribute.labels.key/value`
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`additional.fields.key` and `additional.fields.value.string_value`

TimesheetSaved

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetSaved and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_subtype` is set to `Timesheet`.
Action	`security_result.description`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

ResourceCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation ResourceCheckedOut and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`.
Action	`security_result.description`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

TimesheetAccessed

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetAccessed and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_subtype` is set to `Timesheet`.
Action	`security_result.description`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

ListItemRecycled

The following table lists the log fields and corresponding UDM mappings for the operation ListItemRecycled and workload SharePoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ApplicationDisplayName	`target.application` and `target.resource.name`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseTemplateType	`additional.fields.key` and `additional.fields.value.string_value`
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListTitle	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.url`
Platform	`target.platform`
Site	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`additional.fields.key` and `additional.fields.value.string_value`

SensitivityLabelUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabelUpdated and workload PowerPoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Application	`principal.application`
ContentType	`additional.fields.key` and `additional.fields.value.string_value`
CurrentProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
CurrentProtectionType.owner	`security_result.about.user.email_addresses`
CurrentProtectionType.protectionType	`security_result.detection_fields.key/value`
CurrentProtectionType.templateId	`security_result.detection_fields.key/value`
DeviceName	`target.hostname`
ObjectId	`target.url`
Platform	`target.platform`
PreviousProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
PreviousProtectionType.owner	`security_result.about.user.email_addresses`
PreviousProtectionType.protectionType	`security_result.detection_fields.key/value`
PreviousProtectionType.templateId	`security_result.detection_fields.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
SensitivityLabelEventData.ActionSource	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.LabelEventType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.OldSensitivityLabelId	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`target.resource.product_object_id`
TargetLocation	`additional.fields.key` and `additional.fields.value.string_value`
UserSku	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.JustificationText	`security_result.detection_fields.key/value`

GetGroupUsers

The following table lists the log fields and corresponding UDM mappings for the operation GetGroupUsers and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`.
Activity	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
CapacityId	`additional.fields.key` and `additional.fields.value.string_value`
IsSuccess	`security_result.action`
ObjectId	`target.resource.name`
RefreshEnforcementPolicy	`security_result.detection_fields.key/value`
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WorkspaceId	`target.resource.product_object_id`

SubTaskCreated

The following table lists the log fields and corresponding UDM mappings for the operation SubTaskCreated and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION`. `target.resource.type` is set to `TASK`.
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`target.resource.product_object_id`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

TaskRead

The following table lists the log fields and corresponding UDM mappings for the operation TaskRead and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.type` is set to `TASK`.
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`target.resource.product_object_id`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

SubTaskUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SubTaskUpdated and workload MicrosoftTodo:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.type` is set to `TASK`.
ActorAppId	`additional.fields.key` and `additional.fields.value.string_value`
ItemId	`target.resource.product_object_id`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`additional.fields.key` and `additional.fields.value.string_value`
TargetActorTenantId	`additional.fields.key` and `additional.fields.value.string_value`

SharingLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkUpdated and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.resource_subtype` is set to `Link`.
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ObjectId	`target.url`
Permission	`target.resource.attribute.permissions.name`
Platform	`target.platform`
SharingLinkScope	`target.resource.attribute.labels.key/value`
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelId	`security_result.detection_fields.key/value`

Authorize

The following table lists the log fields and corresponding UDM mappings for the operation Authorize and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
AadAppId	`additional.fields.key` and `additional.fields.value.string_value`
DataType	`security_result.description`
RelativeUrl	`target.url`
ResultCount	`additional.fields.key` and `additional.fields.value.string_value`

AddedToSharingLink

The following table lists the log fields and corresponding UDM mappings for the operation AddedToSharingLink and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`.
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ObjectId	`target.url`
Permission	`target.resource.attribute.permissions.name`
Platform	`target.platform`
SharingLinkScope	`target.resource.attribute.labels.key/value`
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelId	`security_result.detection_fields.key/value`
`TargetUserOrGroupName`	If the `TargetUserOrGroupType` log field value contain one of the following values, then the `TargetUserOrGroupName` field is mapped to the `target.group.group_display_name` UDM field: `SecurityGroup` `SharePointGroup` Else, if the `TargetUserOrGroupType` log field value contain one of the following values, then the `TargetUserOrGroupName` field is mapped to the `target.user.email_addresses` UDM field: `Member` `Guest`

SharingLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkUsed and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_subtype` is set to `Link`.
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ObjectId	`target.url`
Permission	`target.resource.attribute.permissions.name`
Platform	`target.platform`
SharingLinkScope	`target.resource.attribute.labels.key/value`
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
UniqueSharingId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
WebId	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelId	`security_result.detection_fields.key/value`

Update policy.

The following table lists the log fields and corresponding UDM mappings for the operation Update policy. and workload AzureActiveDirectory:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, the `Value` log field is mapped to the `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.summary` `target.resource.name` If the `Name` log field value is equal to `DisplayName`, then `NewValue` log field is mapped to the `target.resource.name` UDM field. If the `Name` log field value is equal to `Updated Properties`, then `NewValue` log field is mapped to the `security_result.summary` UDM field.
`Actor`	`security_result.detection_fields.key/value`
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`security_result.detection_fields.key/value`
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.resource.product_object_id`

FileSensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation FileSensitivityLabelApplied and workload SharePoint or OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DestinationFileExtension	`target.file.mime_type`
DestinationFileName	`target.file.full_path`
DestinationRelativeUrl	`target.file.full_path`
DestinationLabel	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
HighPriorityMediaProcessing	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
ObjectId	`target.url`
Platform	`target.platform`
SensitivityLabelEventData.LabelEventType	`additional.fields.key` and `additional.fields.value.string_value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelOwnerEmail	`security_result.about.user.email_addresses`
SensitivityLabelJustificationText	`security_result.detection_fields.key/value`
Site	`target.labels.key/value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	`src.file.full_path`
SourceRelativeUrl	`src.file.full_path`
SourceLabel	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`
UserKey	`additional.fields.key` and `additional.fields.value.string_value`
Version	`metadata.product_version`
WebId	`additional.fields.key` and `additional.fields.value.string_value`

QuarantineDenyReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineDenyReleaseMessage and workload Quarantine:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Identity	`additional.fields.key` and `additional.fields.value.string_value`
NetworkMessageId	`security_result.detection_fields.key/value`
QuarantinePolicy	`security_result.detection_fields.key/value`
QuarantineType	`security_result.detection_fields.key/value`
RecipientTags	`security_result.detection_fields.key/value`
RequestSource	`security_result.detection_fields.key/value`
RequestType	`security_result.detection_fields.key/value`

QuarantineApproveReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineApproveReleaseMessage and workload Quarantine:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Identity	`additional.fields.key` and `additional.fields.value.string_value`
NetworkMessageId	`security_result.detection_fields.key/value`
QuarantinePolicy	`security_result.detection_fields.key/value`
QuarantineType	`security_result.detection_fields.key/value`
RecipientTags	`security_result.detection_fields.key/value`
RequestSource	`security_result.detection_fields.key/value`
RequestType	`security_result.detection_fields.key/value`

CopilotInteraction

The following table lists the log fields and corresponding UDM mappings for the operation CopilotInteraction and workload Copilot:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_sub_type` is set to `Copilot Chat`.
CopilotEventData.AppHost	`target.application`
CopilotEventData.ThreadId	`target.resource.product_object_id`
CopilotEventData.AccessedResources	`target.resource.attribute.labels.key/value`
CopilotEventData.Contexts	`target.resource.attribute.labels.key/value`
CopilotEventData.MessageIds	`target.resource.attribute.labels.key/value`

Remove delegated permission grant.

The following table lists the log fields and corresponding UDM mappings for the operation Remove delegated permission grant. and workload Copilot:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_PERMISSIONS_CHANGE`.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`additional.fields.key` and `additional.fields.value.string_value`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
ObjectId	`target.resource.product_object_id`
SupportTicketId	`additional.fields.key` and `additional.fields.value.string_value`
Target	`security_result.detection_fields.key/value`
TargetContextId	`additional.fields.key` and `additional.fields.value.string_value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `additional.fields.key` and `additional.fields.value.string_value` If the `Name` log field value is equal to `additionalDetails`, then `User-Agent` is extracted from the `Value` log field using the Grok pattern and mapped to the `network.http.user_agent` UDM field. Else, if the `Name` log field value is equal to `extendedAuditEventCategory`, then the `Value` log field is mapped to the `target.resource.attribute.labels.key/value` UDM field. Else, the `Value` log field is mapped to the `additional.fields.key` and `additional.fields.value.string_value` UDM fields.
ModifiedProperties	`security_result.detection_fields.key/value`

FileCopiedToRemovableMedia

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToRemovableMedia and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_COPY`.
Application	`principal.application`
DestinationLocationType	`additional.fields.key` and `additional.fields.value.string_value`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.FullUrl	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.StorageName	`additional.fields.key` and `additional.fields.value.string_value`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
MatchedPolicies.PolicyId	`security_result.detection_fields.key/value`
MatchedPolicies.PolicyName	`security_result.detection_fields.key/value`
MatchedPolicies.RuleId	`security_result.rule_id`
MatchedPolicies.RuleName	`security_result.rule_name`
ObjectId	`src.file.full_path`
OriginatingDomain	`principal.domain.name`
Platform	`target.platform`
PolicyMatchInfo.PolicyId	`target.resource.product_object_id`
PolicyMatchInfo.PolicyName	`security_result.summary`
PolicyMatchInfo.RuleId	`security_result.rule_id`
PolicyMatchInfo.RuleName	`security_result.rule_name`
PreviousFileName	`src.file.names`
RMSEncrypted	`security_result.detection_fields.key/value`
RemovableMediaDeviceAttributes.Manufacturer	`target.asset.hardware.manufacturer`
RemovableMediaDeviceAttributes.Model	`target.asset.hardware.model`
RemovableMediaDeviceAttributes.SerialNumber	`target.asset.hardware.serial_number`
Scope	`additional.fields.key` and `additional.fields.value.string_value`
SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetDomain	`target.domain.name`
TargetFilePath	`target.file.full_path`
TargetPrinterName	`target.asset.hostname`

TaskStatusSubmitted

The following table lists the log fields and corresponding UDM mappings for the operation TaskStatusSubmitted and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.type` is set to `TASK`.
ApplicationDisplayName	`target.application` and `target.resource.name`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

ViewTile

The following table lists the log fields and corresponding UDM mappings for the operation ViewTile and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_sub_type` is set to `Tile`.
Activity	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
ConsumptionMethod	`additional.fields.key` and `additional.fields.key/value`
DashboardId	`target.resource.attribute.labels.key/value`
DashboardName	`target.resource.attribute.labels.key/value`
IsSuccess	`security_result.action`
ObjectId	`target.resource.name`
RefreshEnforcementPolicy	`security_result.detection_fields.key/value`
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
TileText	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`

AppDlpEvaluationResultChange

The following table lists the log fields and corresponding UDM mappings for the operation AppDlpEvaluationResultChange and workload PowerApps:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
AdditionalInfo	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`

ExportForm

The following table lists the log fields and corresponding UDM mappings for the operation ExportForm and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
ActivityParameters.ExportFormat	`target.file.mime_type`
FormId	`target.resource.product_object_id`
FormName	`target.resource.name`
FormsUserType	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`target.resource.product_object_id`
SourceApp	`principal.application`

AppCleanedUpAfterExpiration

The following table lists the log fields and corresponding UDM mappings for the operation AppCleanedUpAfterExpiration and workload MicrosoftTeams:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
AddOnGuid	`additional.fields.key` and `additional.fields.value.string_value`
AddOnType	`additional.fields.key` and `additional.fields.value.string_value`
AppAccessContext.IssuedAtTime	`additional.fields.key` and `additional.fields.value.string_value`
AppAccessContext.UniqueTokenId	`additional.fields.key` and `additional.fields.value.string_value`
ChatThreadId	`target.user.group_identifiers`
ChatThreadId	`target.group.product_object_id`
OperationScope	`additional.fields.key` and `additional.fields.value.string_value`

PlanRead

The following table lists the log fields and corresponding UDM mappings for the operation PlanRead and workload Planner:

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`.
ContainerId	`target.resource.attribute.labels.key/value`
ContainerType	`target.resource.attribute.labels.key/value`
ObjectId	`target.resource.product_object_id`

FileTimelineMetadataAccessed

The following table lists the log fields and corresponding UDM mappings for the operation FileTimelineMetadataAccessed and workload OneDrive:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
AlternateStreamId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application` and `target.resource.name`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
EventSource	`principal.application`
HighPriorityMediaProcessing	`additional.fields.key` and `additional.fields.value.string_value`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`additional.fields.key` and `additional.fields.value.string_value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
ObjectId	`target.url`
Platform	`target.platform`
Site	`additional.fields.key` and `additional.fields.value.string_value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path`
SourceRelativeUrl	`target.file.full_path`
UserAgent	`network.http.user_agent`

TimesheetSubmitted

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetSubmitted and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`. `target.resource.resource_subtype` is set to `Timesheet`.
ApplicationDisplayName	`target.application` and `target.resource.name`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

ViewForm

The following table lists the log fields and corresponding UDM mappings for the operation ViewForm and workload MicrosoftForms:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_ACCESS`.
FormId	`target.resource.product_object_id`
FormName	`target.resource.name`
FormsUserType	`additional.fields.key` and `additional.fields.value.string_value`
SourceApp	`principal.application`

TaskStatusSaved

The following table lists the log fields and corresponding UDM mappings for the operation TaskStatusSaved and workload Project:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
ApplicationDisplayName	`target.application` and `target.resource.name`
AuthenticationType	`additional.fields.key` and `additional.fields.value.string_value`
BrowserName	`additional.fields.key` and `additional.fields.value.string_value`
BrowserVersion	`additional.fields.key` and `additional.fields.value.string_value`
DeviceDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
Entity	`metadata.product_name`
EventSource	`principal.application`
IsManagedDevice	`additional.fields.key` and `additional.fields.value.string_value`
ItemType	`target.resource.attribute.labels.key/value`
Platform	`target.platform`
UserAgent	`network.http.user_agent`

RecordScopesConsent

The following table lists the log fields and corresponding UDM mappings for the operation RecordScopesConsent and workload PowerApps:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
AppName	`additional.fields.key` and `additional.fields.value.string_value`
ObjectId	`additional.fields.key` and `additional.fields.value.string_value`

EditFlow

The following table lists the log fields and corresponding UDM mappings for the operation EditFlow and workload MicrosoftFlow:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
FlowConnectorNames	`target.resource.name`
FlowDetailsUrl	`metadata.url_back_to_product`
ObjectId	`target.resource.product_object_id`
LicenseDisplayName	`additional.fields.key` and `additional.fields.value.string_value`
SharingPermission	`target.resource.attribute.labels.key/value`
UserTypeInitiated	`principal.user.attribute.labels.key/value`
UserUPN	`principal.user.attribute.labels.key/value`

AttackSimulationEvent

The following table lists the log fields and corresponding UDM mappings for the operation AttackSimulationEvent and workload AttackSimulation:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
AttackSimEvent	`security_result.detection_fields.key/value`
AttackTechnique	`security_result.attack_details.technique.name`
BatchId	`security_result.detection_fields.key/value`
CampaignId	`security_result.detection_fields.key/value`
EndTimeData	`security_result.detection_fields.key/value`
TimeData	`security_result.detection_fields.key/value`
UserDisplayName	`principal.user.user_display_name`

TaskAssigned

The following table lists the log fields and corresponding UDM mappings for the operation TaskAssigned and workload Planner:

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
ObjectId	`target.resource.product_object_id`
PlanId	`target.resource.attribute.labels.key/value`

FileTransferredByBluetooth

The following table lists the log fields and corresponding UDM mappings for the operation FileTransferredByBluetooth and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.FullUrl	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.StorageName	`additional.fields.key` and `additional.fields.value.string_value`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
ObjectId	`target.file.full_path`
Platform	`additional.fields.key` and `additional.fields.value.string_value`
RMSEncrypted	`security_result.detection_fields.key/value`
Scope	`additional.fields.key` and `additional.fields.value.string_value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetDomain	`target.domain.name`
TargetFilePath	`additional.fields.key` and `additional.fields.value.string_value`
TargetPrinterName	`target.asset.hostname`

FileCopiedToRemoteDesktopSession

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToRemoteDesktopSession and workload Endpoint:

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.FullUrl	`additional.fields.key` and `additional.fields.value.string_value`
EvidenceFile.StorageName	`additional.fields.key` and `additional.fields.value.string_value`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
ObjectId	`target.file.full_path`
Platform	`additional.fields.key` and `additional.fields.value.string_value`
RMSEncrypted	`security_result.detection_fields.key/value`
Scope	`additional.fields.key` and `additional.fields.value.string_value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`additional.fields.key` and `additional.fields.value.string_value`
TargetDomain	`target.domain.name`
TargetFilePath	`additional.fields.key` and `additional.fields.value.string_value`
TargetPrinterName	`target.asset.hostname`

New-InsiderRiskPolicy

The following table lists the log fields and corresponding UDM mappings for the operation New-InsiderRiskPolicy and workload SecurityComplianceCenter:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ClientApplication	`principal.application`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`additional.fields.key/value.string_value`
StartTime	`target.resource.attribute.creation_time`
UserServicePlan	`additional.fields.key/value.string_value`

AutoSensitivityLabelRuleMatch

The following table lists the log fields and corresponding UDM mappings for the operation AutoSensitivityLabelRuleMatch and workload Exchange:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ConditionMatch.SensitiveInformation.ClassifierType	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.Confidence	`security_result.confidence_details`
ConditionMatch.SensitiveInformation.Count	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.Id	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.Location	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.IsMatch	`security_result.detection_fields.key/value`
ConditionMatch.SensitiveInformation.UniqueCount	`security_result.detection_fields.key/value`
ExchangeMetaData.From	`network.email.from`
ExchangeMetaData.MessageID	`additional.fields.key` and `additional.fields.value.string_value`
ExchangeMetaData.RecipientCount	`additional.fields.key` and `additional.fields.value.string_value`
ExchangeMetaData.Sent	`additional.fields.key` and `additional.fields.value.string_value`
ExchangeMetaData.To	`network.email.to`
ExecutionRuleId	`security_result.rule_id`
ExecutionRuleName	`security_result.rule_name`
ExecutionRuleVersion	`security_result.rule_version`
IsViewableByExternalUsers	`additional.fields.key` and `additional.fields.value.string_value`
ItemCreationTime	`target.resource.attribute.labels.key/value`
ItemLastModifiedTime	`target.resource.attribute.labels.key/value`
ItemSize	`target.resource.attribute.labels.key/value`
LabelId	`target.resource.attribute.labels.key/value`
LabelName	`target.resource.attribute.labels.key/value`
ItemName	`target.resource.name`
MachineName	`principal.hostname`
MgtRuleId	`security_result.detection_fields.key/value`
OverRideReason	`security_result.detection_fields.key/value`
OverRideType	`security_result.detection_fields.key/value`
PolicyId	`security_result.detection_fields.key/value`
PolicyName	`security_result.detection_fields.key/value`
PolicyVersion	`security_result.detection_fields.key/value`
RuleMode	`security_result.detection_fields.key/value`
ScopedLocationId	`security_result.detection_fields.key/value`
SensitiveInfoDetectionIsIncluded	`security_result.detection_fields.key/value`
WorkLoadItemId	`additional.fields.key` and `additional.fields.value.string_value`
Severity	`security_result.severity`

GetRefreshablesForCapacityAsAdmin

The following table lists the log fields and corresponding UDM mappings for the operation GetRefreshablesForCapacityAsAdmin and workload PowerBI:

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Activity	`additional.fields.key` and `additional.fields.value.string_value`
ActivityId	`additional.fields.key` and `additional.fields.value.string_value`
IsSuccess	`security_result.action`
RefreshEnforcementPolicy	`security_result.detection_fields.key/value`
RequestId	`additional.fields.key` and `additional.fields.value.string_value`
UserAgent	`network.http.user_agent`

What's next

Data ingestion to Google Security Operations