收集 Microsoft 365 日志

本文档介绍如何通过设置 Chronicle Feed 来收集 Microsoft 365 日志,以及日志字段如何映射到 Chronicle 统一数据模型 (UDM) 字段。本文档还列出了支持的已审核活动和支持的 Microsoft 365 版本。

如需简要了解将数据注入到 Chronicle,请参阅将数据注入到 Chronicle

概览

以下部署架构图显示了如何将 Microsoft 365 和 Chronicle Feed 配置为将日志发送到 Chronicle。每个客户部署都可能不同于此表示法,并且可能更复杂。

部署架构

架构图显示了以下组件:

  • Microsoft 365。您从中收集日志的 Microsoft 365 服务。

  • Chronicle Feed。用于从 Microsoft 365 提取日志并将日志写入 Chronicle 的 Chronicle Feed。

  • Chronicle。Chronicle 会保留和分析来自 Microsoft 365 的日志。

提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于带有 OFFICE_365 提取标签的解析器。

准备工作

  • 使用 Microsoft 365 版本 2204 Build 16.0.15128.20248 或更高版本,并验证您是否订阅了 Microsoft 365 Enterprise E5 及 Microsoft 安全与法规遵从中心功能。

  • 向用户授予必需的特权和权限,以为所有受支持的 Microsoft 产品生成和导出不同的事件。如需查看示例权限,请参阅访问管理 API 的权限

  • 配置 Microsoft 365 以搜索和导出日志。Microsoft Azure Active Directory (Azure AD) 是 Microsoft 365 的目录服务。日志最长需要 24 小时才能生成。 如需了解详情,请参阅搜索审核日志

  • 确保部署架构中的所有系统均采用世界协调时间 (UTC) 时区进行配置。

  • 查看 Chronicle 解析器支持的 activity 和产品。下表列出了 Chronicle 解析器支持的活动和产品:

    活动 产品
    文件和页面活动 Share Online 和 OneDrive for Business
    文件夹 activity Share Online 和 OneDrive for Business
    Sharepoint 列表 Activity SharePoint Online
    共享和访问权限请求活动 Share Online 和 OneDrive for Business
    同步 activity Share Online 和 OneDrive for Business
    网站权限活动 SharePoint Online
    网站管理活动 SharePoint Online
    Exchange 邮箱活动 Microsoft 365 群组邮箱
    用户管理活动 Microsoft 365 管理中心
    Azure AD 群组管理活动 Microsoft 365 管理中心
    应用管理活动 当管理员添加或更改在 Azure AD 中注册的应用时
    角色管理活动 Microsoft 365 管理中心
    目录管理活动 Microsoft 365 管理中心
    Power BI activity Power BI
    Microsoft Teams 活动 Microsoft Teams
    Microsoft Teams Shift 活动 在 Microsoft Teams 中切换应用
    Microsoft Teams Healthcare 活动 Microsoft Teams 中的患者申请
    Microsoft Teams Shift 活动 在 Microsoft Teams 中切换应用
    Yammer activity Yammer
    Microsoft Power Automation 活动 Power Automation(以前称为 Microsoft Flow)
    Microsoft PowerApps 活动 电源应用
    Microsoft Stream 活动 Microsoft 信息流
    隔离活动 在 Office 365 中隔离电子邮件
    Microsoft 表单活动 Microsoft Teams
    敏感度标签 activity 为 SharePoint Online 和 Teams 活动加标签
    保留政策和保留标签活动 不适用
    简报电子邮件活动 简报电子邮件
    MyAnalytics 活动 MyAnalytics
    信息屏障活动 不适用
    处理情况审核活动 不适用
    通信合规性活动 不适用
    未定义的 Activity 不适用

在 Chronicle 中配置 Feed 以注入 Microsoft 365 日志

  1. 前往 Chronicle 设置,然后点击 Feed
  2. 点击 Add New(新增)。
  3. 对于来源类型,选择 Third party API
  4. 选择 Office 365 作为日志类型
  5. 点击下一步
  6. 根据 Microsoft 365 配置,指定 OAuth 客户端 IDOAuth 客户端密钥租户 ID 详细信息。
  7. 选择要为其创建此 Feed 的内容类型。您必须为所需的每种内容类型创建一个单独的 Feed。
  8. 点击下一步,然后点击提交

如需详细了解 Chronicle Feed,请参阅 Chronicle Feed 文档

字段映射参考文档

本部分介绍 Chronicle 解析器如何为支持的操作和工作负载将 Microsoft 365 日志字段映射到 Chronicle 统一数据模型 (UDM) 字段。

常用字段

下表列出了常见的日志字段及其对应的 UDM 字段。

Common log field UDM field
ID metadata.product_log_id
RecordType

security_result.detection_fields.key/value

security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc

security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc

CreationTime metadata.event_timestamp
Operation metadata.product_event_type
OrganizationId principal.resource.product_object_id
UserType principal.user.attribute.roles.name
UserId

principal.user.email_addresses or principal.user.userid

target.user.email_addresses or target.user.userid

If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user

If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.

ClientIP principal.ip and principal.port
Workload target.application
AppAccessContext

network.session.id security_result.detection_fields.key/value

AADSessionId is mapped to network.session.id

CorrelationId is mapped to security_result.detection_fields.key/value

如需了解适用于受支持操作的 UDM 映射的参考信息,请参阅以下部分:

FileAccessed

下表列出了操作“Fileaccessed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileAccessedExtended

下表列出了操作“FileAccessedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeleted

下表列出了操作“FileDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCopied

下表列出了操作“FileCopied”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileModified

下表列出了操作“FileModified”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileDownloaded

下表列出了操作“FileDownloaded”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
UserSessionId network.http.session_id
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ZipFileName principal.resource.parent

FileModifiedExtended

下表列出了操作“FileModifiedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileMoved

下表列出了操作“FileMoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FilePreviewed

下表列出了操作“FilePreviewed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRenamed

下表列出了操作“FileRenamed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileUploaded

下表列出了操作“FileUploaded”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ImplicitShare target.resource.attribute.labels.key/value

FileVersionsAllDeleted

下表列出了操作“FileVersionsAllDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
WebId about.labels.key/value

FileCheckedIn

下表列出了操作“FileCheckedIn”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName workload map with intermediary.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckedOut

下表列出了操作“FileCheckedOut”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site Uniquely Identify resource in site like File or Folder
ItemType This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource principal.application
SourceName principal.labels.key/value
UserAgent Information about the user's browser. This information is provided by the browser.
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ComplianceSettingChanged

下表列出了操作“ComplianceSettingChanged”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
SharingType target.labels.key/value

LockRecord

下表列出了操作“LockRecord”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnlockRecord

下表列出了操作“UnlockRecord”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedFirstStageRecycleBin

下表列出了操作“FileDeletedFirstStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedSecondStageRecycleBin

下表列出了操作“FileDeletedSecondStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

RecordDelete

下表列出了操作“RecordDelete”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

下表列出了操作“DocumentSensitivityMismatchDetected”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

下表列出了操作“DocumentSensitivityMismatchDetected”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckOutDiscarded

下表列出了操作“FileCheckOutUninstalled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

下表列出了操作“FileVersionsAllMinorsRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllRecycled

下表列出了操作“FileVersionsAllRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionRecycled

下表列出了操作“FileVersionRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRestored

下表列出了操作“FileRestored”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileMalwareDetected

下表列出了操作“File 恶意软件 Detected”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
VirusInfo security_result.threat_name
VirusVendor target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SearchQueryPerformed

下表列出了操作“SearchQueryPerformed”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventData target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PageViewed

下表列出了操作“PageViewed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PagePrefetched

下表列出了操作“PagePrefetched”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientViewSignaled

下表列出了操作“ClientViewSignaled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

PageViewedExtended

下表列出了操作“PageViewedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

FolderCreated

下表列出了操作“FolderCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeleted

下表列出了操作“FolderDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderMoved

下表列出了操作“FolderMoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl field not getting in log

DestinationRelativeUrl DestinationRelativeUrl field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileName DestinationFileName field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRenamed

下表列出了操作“FolderRenamed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderModified

下表列出了操作“FolderModified”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderCopied

下表列出了操作“FolderCopied”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
DestinationRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRestored

下表列出了操作“FolderRestored”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedFirstStageRecycleBin

下表列出了操作“FolderDeletedFirstStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedSecondStageRecycleBin

下表列出了操作“FolderDeletedSecondStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedFull

下表列出了操作“FileSyncDownloadedFull”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedPartial

下表列出了操作“FileSyncDownloadedPartial”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedFull

下表列出了操作“FileSyncUploadedFull”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedPartial

下表列出了操作“FileSyncUploadedPartial”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ManagedSyncClientAllowed

下表列出了操作“ManagedSyncClientAllowed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

下表列出了操作“UnmanagedSyncClientBlocked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

AddedToGroup

下表列出了操作“AddedToGroup”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.group.group_display_name
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupAdded

下表列出了操作“GroupAdded”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupRemoved

下表列出了操作“GroupRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebRequestAccessModified

下表列出了操作“WebRequestAccessModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType target.resource.attribute.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebMembersCanShareModified

下表列出了操作“WebMembersCanShareModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
version metadata.product_version
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelModified

下表列出了操作“PermissionLevelModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

version metadata.product_version
WebID about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminAdded

下表列出了操作“SiteCollectionAdminAdded”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminRemoved

下表列出了操作“SiteCollectionAdminRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelRemoved

下表列出了操作“PermissionLevelRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

RemovedFromGroup

下表列出了操作“RemovedFromGroup”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.group.group_display_name
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupUpdated

下表列出了操作“GroupUpdated”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.referral_url
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

ProjectCheckedOut

下表列出了操作“ProjectCheckedOut”和工作负载“Project”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

ProjectAccessed

下表列出了操作“ProjectAccessed”和工作负载“Project”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

SharingInheritanceBroken

下表列出了操作“SharedInheritanceBroken”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application

下表列出了操作“AddedToSecureLink”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId target.labels.key/value
Version metadata.product_version
WebId about.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ApplicationDisplayName target.application

CompanyLinkCreated

下表列出了操作“CompanyLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
ApplicationDisplayName target.application

CompanyLinkUsed

下表列出了操作“CompanyLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

SecureLinkCreated

下表列出了操作“SecureLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value

SharingInvitationCreated

下表列出了操作“SharedInvitationCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkDeleted

下表列出了操作“SecureLinkDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application

下表列出了操作“RemovedFromSecureLink”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

SharingInvitationRevoked

下表列出了操作“SharedInvitationRevoked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkUpdated

下表列出了操作“SecureLinkUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkUsed

下表列出了操作“SecureLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

SharingRevoked

下表列出了操作“SHARERevoked”和工作负载“SharePoint/OneDrive”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

SharingSet

下表列出了操作“SharedSet”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

下表列出了操作“PermissionLevelAdded”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

下表列出了操作“SharedInvitationAccepted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.name

Added to Group is mapped to target.resource.name

SharingInvitationBlocked

下表列出了操作“SHAREInvitationBlocked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData security_result.summary

Reason is mapped to security_result.summary

AccessRequestCreated

下表列出了操作“AccessRequestCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

下表列出了操作“AnonymousLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value

AccessRequestUpdated

下表列出了操作“AccessRequestUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

ModifiedProperties target.labels.key/value

CompanyLinkRemoved

下表列出了操作“CompanyLinkRemoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

AccessRequestApproved

下表列出了操作“AccessRequestApproved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
EventData target.resource.name

Extract using grok

grok {

match is mapped to {

EventData <Added to group>{target_resource_name}.*

}

}

TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

AnonymousLinkRemoved

下表列出了操作“AnonymousLinkRemoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value
SourceFileExtension target.file.mime_type
UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
MachineId target.asset.product_object_id

AnonymousLinkUpdated

下表列出了操作“AnonymousLinkUpdated”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

下表列出了操作“SharedInvitationUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
ApplicationDisplayName target.application
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ModifiedProperties target.labels.key/value
event_type is mapped to USER_RESOURCE_ACCESS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

AnonymousLinkUsed

下表列出了操作“AnonymousLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ResultStatus is Success

Action is set to ALLOW

security_result.summary is set to Group creation successful

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is set to Group creation failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

添加群组

下表列出了操作“添加群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set toGroup membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

在群组中添加成员

下表列出了操作“将成员添加到群组”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else map about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

添加用户

下表列出了操作 Add user 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is Is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

更改用户许可。

下表列出了操作“更改用户许可”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更改用户密码

下表列出了操作“更改密码”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group deletion successful

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group deletion failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

删除组

下表列出了操作“删除群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

从群组中移除成员

下表列出了操作“从群组中移除成员”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

if status is Success then

action ALLOW

security_result.summary User deleted successfully

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

删除用户

下表列出了操作 Delete user 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success

Action is set to ALLOW

security_result.summary is User updated successfully

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is User update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更新用户

下表列出了操作 Update user 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.detection_fields.key/value

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.detection_fields.key/value

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

If Name is TargetId.UserType then NewValue and Oldvalue are mapped to target.labels

If Name is StrongAuthenticationPhoneAppDetail then from NewValue, DeviceName is mapped to target.asset.hostname, PhoneAppVersion is mapped to target.asset.software.version, DeviceId is mapped to target.asset.asset_id, Id is mapped to target.asset.product_object_id, DeviceToken is mapped to target.asset.attribute.labels.key/value, DeviceTag is mapped to target.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to target.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to target.labels.key/value, SecuredPartitionId is mapped to security_result.detection_fields.key/value, SecuredKeyId is mapped to security_result.detection_fields.key/value.

If Name is StrongAuthenticationPhoneAppDetail then from OldValue, DeviceName is mapped to about.asset.hostname, PhoneAppVersion is mapped to about.asset.software.version, DeviceId is mapped to about.asset.asset_id, Id is mapped to about.asset.product_object_id, DeviceToken is mapped to about.asset.attribute.labels.key/value, DeviceTag is mapped to about.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to about.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to about.labels.key/value, SecuredPartitionId is mapped to security_result.detection_fields.key, SecuredKeyId is mapped to security_result.detection_fields.key.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更新群组

下表列出了操作“更新群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

If ResultStatus is Succeeded or ResultStatus is Success

security_result.action is ALLOW

security_result.summary is User login successful

else if ResultStatus is Failed or LogonError !is

security_result.action is BLOCK

security_result.summary is User login failed

security_result.description is {LogonError}

UserId is mapped to target.user.userid or target.user.email_addresses

metadata.description is User Login - {Workload}

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is match to Windows then principal.platform is WINDOWS

If Value is match to Mac then principal_plateform is MAC

if Value is match to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

UserLoggedIn

下表列出了操作“UserLoggedIn”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

security_result.Action is set to BLOCK

security_result.summary is User login failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE

If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE

If Name is UserAgent then Value is mapped to network.http.user_agent

If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type

If Name is requestType then Based on Value it will map with extensions.auth.type

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is matched to Windows then principal.platform is WINDOWS

If Value is matched to Mac then principal_plateform is MAC

if Value is matched to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

下表列出了操作“UserLoginFailed”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更新 StsRefreshTokenValidFrom 时间戳

下表列出了操作“Update StsRefreshTokenValidFrom Timestamp”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summary

If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更新设备

下表列出了操作“Update device”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

在域上设定联盟设置

下表列出了操作“在网域上设置联合设置”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

验证网域

下表列出了操作“验证网域”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

设置公司信息

下表列出了“设置公司信息”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

重置用户密码

下表列出了操作“重置用户密码”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.description

security_result.summary

target.labels.key/value

If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue}

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

停用账号

下表列出了“停用帐号”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

删除用户的应用专用密码

下表列出了操作“删除用户的应用专用密码”和工作负载“AzureActiveDirectory”的操作日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

刪除设备

下表列出了“删除设备”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

将注册用户添加到设备

下表列出了“将已注册用户添加到设备”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

为设备添加注册的所有者

下表列出了操作“将已注册的所有者添加到设备”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

向群组添加所有者

下表列出了操作“将所有者添加到群组”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

添加 OAuth2PermissionGrant

下表列出了操作“Add OAuth2PermissionGrant”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

添加设备

下表列出了操作“Add device”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

向用户授予应用角色分配授权

下表列出了操作“为用户添加应用角色分配授权”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSION

Workload is mapped to intermediary.application

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.application

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetName then Value is mapped to target.application

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.user.userid or target.user.email_addresses

If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

下表列出了操作“同意应用”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

更新服务主账号

下表列出了操作“更新服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

添加服务主账号

下表列出了操作“添加服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

移除服务主账号

下表列出了操作“移除服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

向角色添加成员

下表列出了操作 Add member to role 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Added a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Added a user to an admin role failed

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.attribute.roles.name

target.resource.attribute.labels.key/value

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

if Name is Role.TemplateId then NewValue and OldValue is target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

从角色中移除成员

下表列出了操作“从角色中移除成员”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is Removed a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is Removed a user to an admin role failed

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.user.attribute.roles.name

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

添加标签

下表列出了操作“添加标签”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is set to target.resource.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

创建公司

下表列出了操作“Create company”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

ObjectId is set to target.resource.product_object_id

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.labels.key/value
TeamName target.group.group_display_name
Version metadata.product_version

TeamsSessionStarted

下表列出了操作“TeamsSessionStarted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupAdded

下表列出了操作“ScheduleGroupAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupEdited

下表列出了操作“ScheduleGroupEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupDeleted

下表列出了操作“ScheduleGroupDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftAdded

下表列出了操作“ShiftAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftEdited

下表列出了操作“ShiftEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftDeleted

下表列出了操作“ShiftDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffAdded

下表列出了操作“TimeOffAdded”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffEdited

下表列出了操作“TimeOffEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffDeleted

下表列出了操作“TimeOffDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftAdded

下表列出了操作“OpenShiftAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftEdited

下表列出了操作“OpenShiftEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftDeleted

下表列出了操作“OpenShiftDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleShared

下表列出了操作“ScheduleShared”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ClockedIn

下表列出了操作“ClockedIn”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakStarted

下表列出了操作“BreakStarted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakEnded

下表列出了操作“BreakEnded”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.labels.key/value

RequestAdded

下表列出了操作“RequestAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestRespondedTo

下表列出了操作“RequestReplyedTo”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestCancelled

下表列出了操作“RequestCancelled”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleSettingChanged

下表列出了操作“ScheduleSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

TeamSettingChanged

下表列出了操作“TeamSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

AppInstalled

下表列出了操作“AppInstalled”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value
AzureADAppId about.labels.key/value
OperationScope about.labels.key/value
TargetUserId target.user.product_object_id

MemberRemoved

下表列出了操作“MemberRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value
CommunicationType about.labels.key/value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabRemoved

下表列出了操作“TabRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
Version metadata.product_version
AADGroupId target.labels.key/value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
ChannelName target.resource.attribute.labels.key/value
TeamName target.group.group_display_name

AppUninstalled

下表列出了操作“AppUninstalled”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value
AzureADAppId about.labels.key/value
OperationScope about.labels.key/value
TargetUserId target.user.product_object_id

MemberAdded

下表列出了操作“MemberAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
CommunicationType about.labels.key/value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabAdded

下表列出了操作“TabAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AADGroupId target.labels.key/value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
AddOnUrl target.url
ChannelName target.labels.key/value
TeamName target.group.group_display_name

ClockedOut

下表列出了操作“ClockedOut”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value
ScheduleId target.resource.product_object_id

TeamCreated

下表列出了操作“TeamCreated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.resource.product_object_id
TeamName target.resource.name
Version metadata.product_version

BotAddedToTeam

下表列出了操作“BotAddedToTeam”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.resource.product_object_id
AddOnName target.resource.name
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelAdded

下表列出了操作“ChannelAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorAdded

下表列出了操作“ConnectorAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelSettingChanged

下表列出了操作“ChannelSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamsTenantSettingChanged

下表列出了操作“TeamsTenantSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

MemberRoleChanged

下表列出了操作“MemberRoleChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

DisplayName is mapped to about.user.user_display_name

Role is mapped to about.user.attribute.roles.name

UPN is mapped to about.user.email_addresses

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

DeletedAllOrganizationApps

下表列出了操作“DeletedAllOrganizationApps”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelDeleted

下表列出了操作“ChannelDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamDeleted

下表列出了操作“TeamDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.resource.product_object_id
TeamName target.resource.name

BotRemovedFromTeam

下表列出了操作“BotRemovedFromTeam”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorRemoved

下表列出了操作“ConnectorRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorUpdated

下表列出了操作“ConnectorUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TabUpdated

下表列出了操作“TabUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value
AddOnName target.resource.name
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.resource.attribute.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
AADGroupId target.labels.key/value
AddOnUrl target.url

更新

下表列出了操作“更新”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism

LogonType is 2 then mechanism is set to INTERACTIVE

LogonType is 3 or 8 then mechanism is set to NETWORK

LogonType is 4 then mechanism is set to ​BATCH

LogonType is 5 then mechanism is set to ​SERVICE

LogonType is 7 then mechanism is set to ​UNLOCK

LogonType is 9 then mechanism is set to ​NEW_CREDENTIALS

LogonType is 9 then mechanism is set to ​REMOTE_INTERACTIVE

LogonType is 9 then mechanism is set to ​CACHED_INTERACTIVE

else

mechanism is set to MECHANISM_UNSPECIFIED

InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
Item network.email.subject

target.resource.product_object_id

target.resource.name

target.file.size

network.email.mail_id

target.file.full_path

Id is mapped to target.resource.product_object_id

Subject is mapped to network.email.subject

SizeInBytes is mapped to target.file.size

Item.ParentFolder.Path is mapped to target.resource.name

InternetMessageId is mapped to network.email.mail_id

Attachments is mapped to target.file.full_path

ModifiedProperties securiy_result.summary
SessionId network.session_id
ClientRequestId principal.labels.key/value
Version metadata.product_version

FolderBind

下表列出了操作“FolderBind”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value
ClientRequestId principal.labels.key/value
Item target.resource.product_object_id

target_resource_name

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

SessionId network.session_id
Version metadata.product_version

SendOnBehalf

下表列出了操作“SendOnBehalf”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.email_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendOnBehalfOfUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

SendAs

下表列出了操作“SendAs”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SendAsUserMailboxGuid about.labels.key/value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendAsUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

发送

下表列出了操作“发送”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

SessionId network.session_id
Version metadata.product_version

新建收件箱规则

下表列出了操作“New-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

ObjectId is set to target.group.product_object_id

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version
Parameters security_result.rule_labels.key/value
AppId target.labels.key/value

设置 InboxRule

下表列出了操作“Set-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

ObjectId is set to target.group.product_object_id

target.resource.resource_type is set to SETTING

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters security_result.rule_labels.key/value
SessionId network.session_id
ClientRequestId principal.labels.key/value
Version metadata.product_version

MoveToDeletedItems

下表列出了操作“MoveToDeletedItems”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Subject is mapped to network.email.subject

ParentFolder.Path is mapped to about.file.full_path

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

ClientRequestId principal.labels.key/value
AppId target.labels.key/value

移动

下表列出了操作“移动”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

MailItemsAccessed

下表列出了操作“MailItemsAccessed”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
OperationProperties security_result.detection_fields.key/value.
SessionId network.session_id
Version metadata.product_version
OperationCount about.labels.key/value
AppId target.labels.key/value
Folders about.resource.name

about.resource.product_object_id

network.email.mail_id

Folders.Path is mapped to about.resource.name

Folders.Id is mapped to about.resource.product_object_id

Folders.0.FolderItems.0.InternetMessageId network_email_id

MailboxLogin

下表列出了操作“MailboxLogin”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

auth.Type is MACHINE

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version

SoftDelete

下表列出了操作“SoftDelete”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

AffectedItems.Attachments is mapped to about.file.full_path

AffectedItems.Subject is mapped to network.email.subject

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder target.resource.name

target.resource.product_object_id

Folder.Path is mapped to target.resource.name

Folder.Id is mapped to target.resource.product_object_id

SessionId network.session_id
ClientRequestId principal.labels.key/value
Version metadata.product_version

HardDelete

下表列出了操作“HardDelete”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Version metadata.product_version
ClientAppId target.labels.key/value
AppId target.labels.key/value
Folder target.resource.name

target.resource.product_object_id

创建

下表列出了操作“创建”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.resource.name

target.resource.product_object_id

target.file.full_path

network.email.subject

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

Item.Subject is mapped to network.email.subject

Attachment may present or not in log so write grok for this.

Item.Attachments is mapped to target.file.full_path

SessionId network.session_id
Version metadata.product_version

RemoveFolderPermissions

下表列出了操作“RemoveFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.resource.attribute.permissions.name

target.user.email_addresses or target.user.userid

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

Item.ParentFolder.Path is mapped to target.file.full_path

User rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

ModifyFolderPermissions

下表列出了操作“ModifyFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

AddFolderPermissions

下表列出了操作“AddFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

Path is mapped to target.file.full_path

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

User Rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version
AppId target.labels.key/value

移除邮箱权限

下表列出了操作“Remove-MailboxPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

添加邮箱权限

下表列出了操作“Add-MailboxPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value
SessionId network.session_id
Version metadata.product_version
AppId target.resource.attribute.labels.key/value
Parameters security_result.detection_fields.key/value
ObjectId target.resource.attribute.labels.key/value

UpdateInboxRules

下表列出了操作“UpdateInboxRules”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value
SessionId network.session_id
Version metadata.product_version
Item target.resource.product_object_id

target.resource.name

Item.ParentFolder.name is mapped to target.resource.name

Item.ParentFolder.id is mapped to target.resource.product_object_id

OperationProperties security_result.rule_id

security_result.rule_name

security_result.detection_fields.key/value

if Name is RuleId then Value is mapped to security_result.rule_id

if Name is RuleName then Value is mapped to security_result.rule_name

else

security_result.detection_fields.key/value

ClientRequestId principal.labels.key/value

UpdateCalendarDelegation

下表列出了操作“UpdateCalendarDelegation”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is SERVICE_ACCOUNT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

ApplyRecordLabel

下表列出了操作“ApplyRecordLabel”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

UpdateFolderPermissions

下表列出了操作“UpdateFolderPermissions”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

设置用户

下表列出了操作“Set-User”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION

ObjectId is set to target.user.userid or target.user.email_addresses

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
Version metadata.product_version

ViewReport

下表列出了操作“ViewReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is mapped to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value
ConsumptionMethod target.labels.key/value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value

GenerateEmbedToken

下表列出了操作“GenerateEmbedToken”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is set to target.file.full_path

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value
ConsumptionMethod target.labels.key/value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value
ReportId target.resource.attribute.labels.key/value
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
EmbedTokenId target.resource.product_object_id
RLSIdentities about.user.email_addresses

about.user.attribute.roles.name

RLSIdentities.UserName is mapped to about.user.email_addresses

RLSIdentities.Roles is mapped to about.user.attribute.roles.name

CreateDataset

下表列出了操作“CreateDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
LastRefreshTime about.labels.key/value

GenerateCustomVisualAADAccessToken

下表列出了操作“GenerateCustomVisualAADAccessToken”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
CustomVisualAccessTokenResourceId target.resource.product_object_id
CustomVisualAccessTokenSiteUri target.url

DeleteOrganizationalGalleryItem

下表列出了操作“DeleteOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value

DeleteAlmPipeline

下表列出了操作“DeleteAlmPipeline”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DeploymentPipelineId target.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id

AddDatasourceToGateway

下表列出了操作“AddDatasourceToGateway”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value
RequestId about.labels.key/value
GatewayId target.resource.attribute.labels.key/value
GatewayType target.labels.key/value
DatasourceId target.resource.product_object_id
DatasourceType target.resource.attribute.labels.key/value

AssignWorkspaceToPipeline

下表列出了操作“assignWorkspaceToPipeline”和工作负载“PowerBI”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName principal.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId principal.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DeploymentPipelineId target.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id
DeploymentPipelineStageOrder target.labels.key/value

CancelDataflowRefresh

下表列出了操作“CancelDataflowRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value

ChangeCapacityState

下表列出了操作“ChangeCapacityState”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CapacityName target.resource.name
CapacityUsers about.labels.key/value
CapacityState target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

ChangeGatewayAdministrators

下表列出了操作“ChangeGateway Administrators”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.product_object_id
UserInformation about.user.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

InsertOrganizationalGalleryItem

下表列出了操作“InsertOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

CreateAlmPipeline

下表列出了操作“CreateAlmPipeline”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DeploymentPipelineId target.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

CreateApp

下表列出了操作“CreateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

CreateDashboard

下表列出了操作“Create Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dashboard created successfully

else

security_result.summary is Dashboard not created

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

CreateDataflow

下表列出了操作“CreateDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dataflow created successfully

else

security_result.summary is Dataflow not created

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DataflowType target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value

CreateEmailSubscription

下表列出了操作“CreateEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

If IsSuccess is true then security_result.summary is EmailSubscription created successfully

else

security_result.summary is EmailSubscription not created

ObjectId is set to target.file.full_path

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
SubscriptionSchedule target.labels.key/value
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
SubscribeeInformation network.email.to
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

CreateFolder

下表列出了操作“CreateFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
FolderDisplayName target.resource.name
FolderObjectId target.resource.attribute.labels.key/value

CreateGateway

下表列出了操作“CreateGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
GatewayId target.resource.product_object_id
GatewayType target.labels.key/value

CreateTemplateApp

下表列出了操作“CreateTemplateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value
TemplateAppObjectId target.resource.product_object_id
RequestId about.labels.key/value

DeleteComment

下表列出了操作“DeleteComment”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
AuditedArtifactInformation target.resource.name

target.resource.product_object_id

target.resource.attribute.labels.key/value

Name is mapped to target.resource.name

ArtifactObjectId is set to target.resource.product_object_id

AnnotatedItemType is mapped to target.resource.attribute.labels.key/value

WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent

DeleteDashboard

下表列出了操作“Delete Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DashboardName target.resource.name
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

DistributionMethod about.labels.key/value

DeleteDataflow

下表列出了操作“DeleteDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value

DeleteDataset

下表列出了操作“DeleteDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value

DeleteEmailSubscription

下表列出了操作“DeleteEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

ObjectId is set to target.file.full_path

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

DeleteFolder

下表列出了操作“DeleteFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

if isSuccess is TRUE then security_result.action is set to ALLOW

else

security_result.action is set to BLOCK

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

DeleteGateway

下表列出了操作“DeleteGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

DeleteGroup

下表列出了操作“DeleteGroup”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

DeleteReport

下表列出了操作“DeleteReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value

DownloadReport

下表列出了操作“DownloadReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value

EditDataset

下表列出了操作“EditDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
LastRefreshTime about.labels.key/value

EditDatasetProperties

下表列出了操作“EditDatasetProperties”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DatasetId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value
DatasetCertificationStage target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value

EditReport

下表列出了操作“EditReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.attribute.labels.key/value
ReportType target.resource.attribute.labels.key/value

ExportDataflow

下表列出了操作“ExportDataflow”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

if isSuccess is TRUE then

security_result.summary is Dataflow Exported Successfully

else

security_result.summary is Dataflow Not Exported

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
DataflowName target.rsource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

ExportReport

下表列出了操作“ExportReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

if isSuccess is TRUE then

security_result.summary is Report Exported Successfully

else

security_result.summary is Report Not Exported

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value
RequestId about.labels.key/value
DatasetId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value

InstallApp

下表列出了操作“InstallApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

InstallTemplateApp

下表列出了操作“InstallTemplateApp”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
TemplateAppFolderObjectId about.labels.key/value
TemplateAppOwnerTenantObjectId principal.user.product_object_id
TemplateAppVersion metadata.product_version
TemplateAppObjectId target.resource.product_object_id
TemplatePackageName target.resource.name

PostComment

下表列出了操作“PostComment”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
AuditedArtifactInformation target.resource.name

target.resource.product_object_id

target.resource.attribute.labels.key/value

RequestId about.labels.key/value
ActivityId principal.labels.key/value

PrintDashboard

下表列出了操作“Print 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path
AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

PrintReport

下表列出了操作“PrintReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.label.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

UnassignWorkspaceFromPipeline

下表列出了操作“UnassignWorkspaceFromPipeline”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
DeploymentPipelineId target.resource.attribute.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id

RemoveDatasourceFromGateway

下表列出了操作“RemoveDatasourceFromGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.attribute.label.key/value
DatasourceId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

RenameDashboard

下表列出了操作“Rename Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to target.file.full_path

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

RequestDataflowRefresh

下表列出了操作“RequestDataflowRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowRefreshScheduleType target.labels.key/value
DataflowType target.resource.attribute.label.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

RefreshDataset

下表列出了操作“RefreshDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
RefreshType target.labels.key/value
LastRefreshTime about.labels.key/value

SensitivityLabelApplied

下表列出了操作“SensitivityLabelApplied”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
SensitivityLabelId target.resource.product_object_id
ActionSourceDetail principal.labels.key/value
LabelEventType target.labels.key/value
LastRefreshTime about.labels.key/value
ActionSourceDetail principal.labels.key/value
ArtifactType about.labels.key/value

SensitivityLabelRemoved

下表列出了操作“SensitivityLabelRemoved”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
OldSensitivityLabelId target.resource.product_object_id
ActionSource principal.labels.key is set to ActionSource

principal.labels.value is set to {Value}

LabelEventType target.labels.key/value
LastRefreshTime about.labels.key/value
ActionSourceDetail principal.labels.key/value
ArtifactType about.labels.key/value

SetScheduledRefreshOnDataflow

下表列出了操作“SetscheduleRefreshOnDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
DataflowName target.resource.name
DataflowType target.resource.attribute.label.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

SetScheduledRefresh

下表列出了操作“SetscheduleRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.rsource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_id
DataConnectivityMode target.resource.attribute.labels.key/value
Schedules target.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
LastRefreshTime about.labels.key/value

ShareDashboard

下表列出了操作“Share 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

WorkspaceId target.resource.attribute.labels.key/value
SharingAction about.labels.key/value
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value

ShareReport

下表列出了操作“ShareReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

Datasets about.resource.product_object_id

about.resource.name

WorkspaceId target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
ArtifactId target.resource.product_object_id
ArtifactName target.resource.name
SharingAction about.labels.key/value
ShareLinkId about.labels.key/value

OptInForProTrial

下表列出了操作“OptInForProTrial”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UnpublishApp

下表列出了操作“UnpublishApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkspaceId target.resource.product_object_id
WorkSpaceName target.resource.name
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateOrganizationalGalleryItem

下表列出了操作“UpdateOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value

UpdateAlmPipelineAccess

下表列出了操作“UpdateAlmPipelineAccess”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id
DeploymentPipelineDisplayName target.resource.name
DeploymentPipelineAccesses about.user.userid

about.user.attribute.permissions.name

userid is mapped to about.user.userid

Rolepermission is mapped to about.user.attribute.permissions.name

UpdateInstalledTemplateAppParameters

下表列出了操作“UpdateInstallTemplateAppParameters”和工作负载“和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
TemplateAppObjectId target.resource.product_object_id
TemplatePackageName target.resource.name
TemplateAppVersion metadata.product_version
TemplateAppFolderObjectId about.labels.key/value

UpdatedAdminFeatureSwitch

下表列出了操作“UpdatedAdminFeatureSwitch”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is mapped to SETTING

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
SwitchState about.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateApp

下表列出了操作“UpdateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateDataflow

下表列出了操作“UpdateDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateDatasetParameters

下表列出了操作“UpdateDatasetParameters”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
LastRefreshTime about.labels.key/value

UpdateEmailSubscription

下表列出了操作“UpdateEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.type is mapped to TASK

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
SubscriptionSchedule target.labels.key/value
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
SubscribeeInformation network.email.to
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

UpdateFolder

下表列出了操作“UpdateFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
FolderDisplayName target.resource.name
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateFolderAccess

下表列出了操作“UpdateFolderAccess”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
FolderDisplayName target.resource.name
FolderAccessRequests about.user.userid

about.user.product_object_id

about.user.attribute.permissions.type

UserId is mapped to about.user.userid

UserObjectId is set to about.user.product_object_id

RolePermissions is mapped to about.user.attribute.permissions.type

RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateDatasourceCredentials

下表列出了操作“UpdateDatasourceCredentials”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.attribute.labels.key/value
DatasourceId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value

UpdateTemplateAppSettings

下表列出了操作“UpdateTemplateAppSettings”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value
ActivityId principal.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
TemplateAppObjectId target.resource.product_object_id

UpdateTemplateAppTestPackagePermissions

下表列出了操作“UpdateTemplateAppTestPackagePermissions”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value
TemplateAppObjectId target.resource.product_object_id

ViewDashboard

下表列出了操作“View 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
ConsumptionMethod target.labels.key/value
DistributionMethod about.labels.key/value
ActivityId principal.labels.key/value
RequestId about.labels.key/value
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

ViewDataflow

下表列出了操作“ViewDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value
CapacityName about.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
SensitivityLabelId security_result.detection_fields.key/value

AddTile

下表列出了操作“AddTile”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
TileText target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value

RunEmailSubscription

下表列出了操作“RunEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AppName target.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.label.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.label.key/value
DashboardId target.resource.product_object_id
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

CreateReport

下表列出了操作“CreateReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.label.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.label.key/value
DatasetId target.resource.attribute.label.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
DistributionMethod about.labels.key/value

GetSnapshots

下表列出了操作“GetSnapshots”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value

OptInForPPUTrial

下表列出了操作“OptInForPPUTrial”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value
ActivityId principal.labels.key/value

设置邮件用户

下表列出了操作“Set-MailUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

设置邮件联系人

下表列出了操作“Set-MailContact”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

设置邮箱

下表列出了操作“Set-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

Object is mapped to target.group.group_display_name

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

设置-分配组

下表列出了操作“Set-DistributionGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is Group members definition

ResultStatus is True

Action is set to ALLOW

else

Action is set to BLOCK

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

security_result.description

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description

else

target.group.attribute.labels.key/value

SessionId network.session_id
Version metadata.product_version

设置联系人

下表列出了操作“Set-Contact”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

CASMailbox

下表列出了操作“Set-CASMailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value
ClientAppId target.labels.key/value
ModifiedObjectResolvedName about.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

设置日历处理

下表列出了操作“Set-CalendarProcessing”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.user_display_name

If Name is ResourceDelegates then Value is mapped to target.user.user_display_name

SessionId network.session_id
Version metadata.product_version

设置 AdminAuditLogConfig

下表列出了操作“Set-AdminAuditLogConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ObjectId is mapped to target.url

target.resource.resource_type is set to SETTING

AppId target.labels.key/value
ClientAppId target.labels.key/value
ModifiedObjectResolvedName about.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

移除-统一组

下表列出了操作“Remove-UnifiedGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
Version metadata.product_version

移除迁移用户

下表列出了操作“Remove-MigrationUser”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

ObjectId is set to target.user.userid or target.user.email_addresses

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

更新-eDiscoveryCaseAdmin

下表列出了操作“Update-eDiscoveryCaseAdmin”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

移除-分布组成员

下表列出了操作“Remove-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

else

target.group.attribute.labels.key/value

Version metadata.product_version

ViewedSearchExported

下表列出了操作“ViewedSearchExported”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

AddWorkingSetQueryToWorkingSet

下表列出了操作“AddWorkingSetQueryToWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

AddQueryToWorkingSet

下表列出了操作“AddQueryToWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

RunAlgo

下表列出了操作“RunAlgo”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

AnnotateDocument

下表列出了操作“AnnotateDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

BurnJob

下表列出了操作“BurnJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateWorkingSet

下表列出了操作“CreateWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateWorkingsetSearch

下表列出了操作“CreateWorkingsetSearch”和工作负载“Compliance”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateTag

下表列出了操作“CreateTag”和工作负载“Compliance”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DeleteWorkingsetSearch

下表列出了操作“DeleteWorkingsetSearch”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DeleteTag

下表列出了操作“DeleteTag”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DownloadDocument

下表列出了操作“DownloadDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateTag

下表列出了操作“UpdateTag”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

ExportJob

下表列出了操作“ExportJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateCaseSettings

下表列出了操作“UpdateCaseSettings”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateWorkingsetSearch

下表列出了操作“UpdateWorkingsetSearch”和工作负载“Compliance”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

TagFiles

下表列出了操作“TagFiles”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

ViewDocument

下表列出了操作“ViewDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

SearchViewed

下表列出了操作“SearchViewed”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

If Name is SearchIds then Value is mapped to target.resource.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseMemberAdded

下表列出了操作“CaseMemberAdded”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Extract target_user information using grok

grok {

match is mapped to {

Parameters .*-(Member|User) \{DATA:target_user}\

}

}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchUpdated

下表列出了操作“SearchUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseAdminUpdated

下表列出了操作“CaseAdminUpdated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties about.user.email_address

about.user.product_object_id

If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses

if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseUpdated

下表列出了操作“CaseUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseMemberUpdated

下表列出了操作“CaseMemberUpdated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resrource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchPermissionUpdated

下表列出了操作“SearchPermissionUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExtendedProperties principal.labels.key/value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldUpdated

下表列出了操作“HoldUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is HoldId then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchRemoved

下表列出了操作“SearchRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseAdminRemoved

下表列出了操作“CaseAdminRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

target.user.email_address

target.user.userid

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

target_user is mapped to target.user.email_addresses or target.user.userid

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseRemoved

下表列出了操作“CaseRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_details

SearchPermissionRemoved

下表列出了操作“SearchPermissionRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties principal.labels.key/value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldRemoved

下表列出了操作“HoldRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is HoldId then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldCreated

下表列出了操作“HoldCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is HoldId then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchCreated

下表列出了操作“SearchCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_detail
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_detail

CaseAdminAdded

下表列出了操作“CaseAdminAdded”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.prdouct_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchStarted

下表列出了操作“SearchStarted”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchReport

下表列出了操作“SearchReport”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchStopped

下表列出了操作“SearchStopped”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_detail

CaseViewed

下表列出了操作“CaseViewed”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_detail
ExtendedProperties target.resource.product_object_id

about.user.email_addresses

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_detail

SearchExportDownloaded

下表列出了操作“SearchExportDownloaded”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version

CaseMemberRemoved

下表列出了操作“CaseMemberRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Extract target_user information using grok

grok {

match is mapped to {

Parameters .*-(Member|User) \{DATA:target_user}\

}

}

Version metadata.product_version

CaseAdded

下表列出了操作“CaseAdded”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchPermissionCreated

下表列出了操作“SearchPermissionCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties principal.labels.key/value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

NetworkConfigurationUpdated

下表列出了操作“NetworkConfigurationUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

ProcessProfileFields

下表列出了操作“ProcessProfileFields”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

SupervisorAdminToggled

下表列出了操作“SupervisorAdminToggled”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

NetworkSecurityConfigurationUpdated

下表列出了操作“NetworkSecurityConfigurationUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

FileCreated

下表列出了操作“FileCreated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE {

security_result.action is ALLOW}

else

{security_result.action is BLOCK}

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

GroupCreation

下表列出了操作“GroupCreation”和工作负载“Yammer”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

MessageDeleted

下表列出了操作“MessageDeleted”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

GroupDeletion

下表列出了操作“GroupDeletion”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

DataExport

下表列出了操作“DataExport”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

FileVisited

下表列出了操作“FileVisited”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_READ

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

StreamInvokeVideoView

下表列出了操作“StreamInvokeVideoView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoShare

下表列出了操作“StreamInvokeVideoShare”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoLike

下表列出了操作“StreamInvokeVideoLike”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoUnLike

下表列出了操作“StreamInvokeVideoUnLike”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoUpload

下表列出了操作“StreamInvokeVideoUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoDownload

下表列出了操作“StreamInvokeVideoDownload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

下表列出了操作“StreamInvokeVideoSetLink”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateGroup

下表列出了操作“StreamCreateGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditGroup

下表列出了操作“StreamEditGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteGroup

下表列出了操作“StreamDeleteGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditGroupMemberships

下表列出了操作“StreamEditGroupMemberships”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateChannel

下表列出了操作“StreamCreateChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditChannel

下表列出了操作“StreamEditChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamDeleteChannel

下表列出了操作“StreamDeleteChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamInvokeChannelSetThumbnail

下表列出了操作“StreamInvokeChannelSetthumb”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamEditVideoPermissions

下表列出了操作“StreamEditVideoPermissions”和工作负载“MicrosoftStream”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is Succeeded then

action is ALLOW

else

action is BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditVideo

下表列出了操作“StreamEditVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideo

下表列出了操作“StreamDeleteVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditUserSettings

下表列出了操作“StreamEditUserSettings”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditAdminTenantSettings

下表列出了操作“StreamEditAdminTenantSettings”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateVideoComment

下表列出了操作“StreamCreateVideoComment”和工作负载“MicrosoftStream”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideoComment

下表列出了操作“StreamDeleteVideoComment”和工作负载“MicrosoftStream”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoTextTrackUpload

下表列出了操作“StreamInvokeVideoTextTrackUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideoTextTrack

下表列出了操作“StreamDeleteVideoTextTrack”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoThumbnailUpload

下表列出了操作“StreamInvokeVideothumbUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is Succeeded then

action is ALLOW

else

action is BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateVideo

下表列出了操作“StreamCreateVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url_back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

DlpRuleMatch

下表列出了操作 DlpRuleMatch 和工作负载 Exchange/SharePoint/OneDrive 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExchangeMetaData network.email.from

network.email.to

network.email.bcc

network.email.cc

network.email.subject

From is mapped to network.email.from

To is mapped to network.email.to

BCC is mapped to network.email.bcc

CC is mapped to network.email.cc

RecipientCount is mapped to about.labels.key/value

Sent is mapped to about.labels.key/value

ExceptionInfo about.labels.key/value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

security_result.confidence_details

security_result.detection_fields.key/value

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

SensitiveInformationDetailedClassificationAttributes.Confidence is mapped to security_result.confidence_details

SensitiveInformationDetailedClassificationAttributes.Count is mapped to security_result.detection_fields.key/value

IncidentId about.labels.key/value
Version metadata.product_version
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

DlpRuleUndo

下表列出了操作“DlpRuleMigrate”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExceptionInfo about.labels.key/value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

IncidentId about.labels.key/value
Version metadata.product_version
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

DlpInfo

下表列出了操作“DlpInfo”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExceptionInfo about.labels.key/value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

IncidentId about.labels.key/value
Version metadata.product_version
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

MipLabel

下表列出了操作“MipLabel”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to network.email.mail_id

ApplicationMode about.labels.key/value
ItemName network.email.subject
LabelAppliedDateTime principal.labels.key/value
LabelId target.resource.product_object_id
LabelName target.resource.name
Receivers network.email.to
Sender network.email.from
Version metadata.product_version

SiteCollectionCreated

下表列出了操作“SiteCollectionCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value
EventData target.resource.name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
Version metadata.product_version

SiteDeleted

下表列出了操作“SiteDeleted”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
MachineId target.asset.product_object_id

PreviewModeEnabledSet

下表列出了操作“PreviewModeEnabledSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is mapped to SETTING

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

OfficeOnDemandSet

下表列出了操作“OfficeOnDemandSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteJoined

下表列出了操作“HubSiteJoined”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

target.resource.attribute.labels.key/value

PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value

HubSiteIdis mapped to target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteRegistered

下表列出了操作“HubSiteRegistered”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

target.resource.attribute.labels.key/value

HubSiteIdis mapped to target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteUnjoined

下表列出了操作“HubSiteUnjoined”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectID is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteUnregistered

下表列出了操作“HubSiteUnregistered”和工作负载“HubSiteUnregistered”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectID is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value
Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SharingPolicyChanged

下表列出了操作“SharedPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
AssertingApplicationId about.labels.key/value
ModifiedProperties target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

NetworkAccessPolicyChanged

下表列出了操作“NetworkAccessPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.ip

target.labels.key/value

if Name is IPAddressAllowList then NewValue is mapped to target.ip

else

target.labels.key/value

Site target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

AlertEntityGenerated

下表列出了操作“AlertEntityGenerated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value
Data about.labels.key/value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

AlertTriggered

下表列出了操作“AlertTriggered”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value
Data about.labels.key/value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

AlertUpdated

下表列出了操作“AlertUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value
Data about.labels.key/value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

获取合规性案例

下表列出了操作“Get-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取支持请求保全政策

下表列出了操作“Get-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取 ComplianceSearch

下表列出了操作“Get-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

移除支持请求保全政策

下表列出了操作“Remove-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

Set-CaseHoldPolicy

下表列出了操作“Set-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

New-CaseHoldRule

下表列出了操作“New-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

remove-CaseHoldRule

下表列出了操作“Remove-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

Set-CaseHoldRule

下表列出了操作“Set-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

获取 ComplianceSearchAction

下表列出了操作“Get-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

新的合规案例

下表列出了操作“New-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.name

SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

移除合规性支持请求

下表列出了操作“Remove-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

设置合规性案例

下表列出了操作“Set-ComplianceCase”和工作负载“Set-ComplianceCase”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

添加合规性支持请求成员

下表列出了操作“Add-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

移除 ComplianceCaseMember

下表列出了操作“Remove-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

Update-ComplianceCaseMember

下表列出了操作“Update-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

新的 ComplianceSearch

下表列出了操作“New-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

删除-合规性搜索

下表列出了操作“Remove-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

设置合规性搜索

下表列出了操作“Set-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

开始 - 合规性搜索

下表列出了操作“Start-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

停止合规性搜索

下表列出了操作“Stop-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

新的 ComplianceSearchAction

下表列出了操作“New-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

移除-ComplianceSearchAction

下表列出了操作“Remove-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

新的 ComplianceSecurityFilter

下表列出了操作“New-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

移除了 ComplianceSecurityFilter

下表列出了操作“Remove-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

设置 ComplianceSecurityFilter

下表列出了操作“Set-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

添加 eDiscoveryCaseAdmin

下表列出了操作“Add-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

移除-eDiscoveryCaseAdmin

下表列出了操作“Remove-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

新建支持请求保全政策

下表列出了操作“New-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取 AadProtectionLevel

下表列出了操作“Get-AadProtectionLevel”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取 AutoSensitivityLabelPolicy

下表列出了操作“Get-AutoSensitivityLabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取 DlpSensitiveInformationType

下表列出了操作“Get-DlpSensitiveInformationType”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取标签

下表列出了操作“Get-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取标签政策

下表列出了操作“Get-LabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

获取政策配置

下表列出了操作“Get-PolicyConfig”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
Version metadata.product_version

ValidaterbacAccessCheck

下表列出了操作“VerifiedrbacAccessCheck”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
AadAppId target.labels.key/value
DataType security_result.description
RelativeUrl target.url
ResultCount target.labels.key/value
Version metadata.product_version

ApplicableAdaptiveScopeChange

下表列出了操作“ApplicableAdaptiveScopeChange”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.resource.product_object_id

If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id

CorrelationId security_result.detection_fields
ObjectType security_result.summary

NewComplianceTag

下表列出了操作“NewComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

NewRetentionComplianceRule

下表列出了操作“NewKeepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

NewRetentionCompliancePolicy

下表列出了操作“NewKeepCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

RemoveComplianceTag

下表列出了操作“RemoveComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

RemoveRetentionCompliancePolicy

下表列出了操作“RemoveComplianceCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetComplianceTag

下表列出了操作“SetComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetRetentionComplianceRule

下表列出了操作“SetKeepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetRetentionCompliancePolicy

下表列出了操作“SetKeepCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Get-CsTeamsUpgradeOverridePolicy

下表列出了操作“Get-CsTeamsUpgradeOverridePolicy”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters security_result.description

If Name is Tenant then Value is mapped to tenate_value

If Name is Identity then Vale is mapped to identity_value

security_result.description is Tenant = {tenate_value} / Identity = {identity_value}

SkypeForBusinessEventType about.labels.key/value
TenantName target.resource.product_object_id
Version metadata.product_version

TeamsAdminAction

下表列出了操作“TeamsAdminAction”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

If ResultStatus is Succeeded then

Action is set to ALLOW

If ResultStatus is Failed then

Action is set to BLOCK

AdminActionDetail security_result.summary
ClientApplication network.http.user_agent
ExtraProperties additional.fields.key/value.string_value
UserClaims security_result.description
Version metadata.product_version

更新-分发组成员

下表列出了操作“Update-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

ClientVersion metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.description

target.group.product_object_id or target.group.email_addresses

target.group.attribute.labels.key/value

If Name is Members then Value is mapped to security_result.description

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

SessionId network.session_id
Version metadata.product_version

SupervisoryReviewOLAudit

下表列出了操作“SupervisoryReviewOLAudit”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

extract auditscore form ResultStatus using

ResultStatus .*?Score:{auditScore}

and map with security_result.confidenece_details is {auditScore}

security_result.confidence will map based on auditScore

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value
MailboxGuid target.labels.key/value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ExchangeDetails network.direection

network.email.from

network.email.mail_id

network.email.to

network.email.subject

If Directionality is Incoming then network.direction is mapped to INBOUND

If Directionality is Outgoining then network.direction is mapped to OUTBOUND

From is mapped to network.email.from

InternetMessageId is mapped to network.email.mail_id

Recipients is mapped to network.email.to

Subject is mapped to network.email.subject

Version metadata.product_version

CrmDefaultActivity

下表列出了操作“CrmDefaultActivity”和工作负载“CRM”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
CrmOrganizationUniqueName principal.resource.name
InstanceUrl target.url
ItemUrl principal.labels.key/value
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
Fields about.labels.key/value
EntityId principal.labels.key/value
EntityName principal.labels.key/value
Message security_result.summary
Query security_result.description
PrimaryFieldValue about.labels.key/value
CorrelationId security_result.detection_fields.key/value.
QueryResults about.labels.key/value
ServiceContextId principal.labels.key/value
ServiceContextIdType about.labels.key/value
ServiceName principal.application
SystemUserId principal.labels.key/value
Version metadata.product_version

TIMailData

下表列出了操作“TIMailData”和工作负载“ThreatIntelligence”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

ObjectId is set to metadata.product_log_id

AttachmentData about.file.full_path

about.file.mime_type

about.file.sha256

security_result.category_details

AttachmentData.FileName is mapped to about.file.full_path

AttachmentData.FileType is mapped to about.file.mime_type

AttachmentData.SHA256 is mapped to about.file.sha256

AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details

DetectionType security_result.summary
DetectionMethod security_result.description
InternetMessageId about.labels.key/value
NetworkMessageId about.labels.key/value
P1Sender principal.user.email_addresses
P2Sender network.email.from
Policy security_result.rule_name
PolicyAction security_result.action

PolicyAction is Quarantine then action is set to QUARANTINE

PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION

Recipients network.email.to
SenderIp src.ip
Subject network.email.subject
Verdict security_result.category
MessageTime target.resource.attribute.labels.key/value
EventDeepLink metadata.url_back_to_product
DeliveryAction about.labels.key/value
OriginalDeliveryLocation about.labels.key/value
LatestDeliveryLocation about.labels.key/value
Directionality network.direction
ThreatsAndDetectionTech about.labels.key/value
AdditionalActionsAndResults about.labels.key/value
Connectors about.labels.key/value
AuthDetails about.labels.key/value
PhishConfidenceLevel about.labels.key/value
Version metadata.product_version

SearchMtpStatus

下表列出了操作“SearchMtpStatus”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
AadAppId target.labels.key/value
DataType target.labels.key/value
Version metadata.product_version
RelativeUrl target.url
ResultCount target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value

RemovedFromSiteCollection

下表列出了操作“RemovedFromSiteCollection”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupType target.group.group_display_name

target.user.userid

target.user.email_addresses

WebId about.labels.key/value
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

CommentsDisabled

下表列出了操作“CommentsDisabled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
SourceRelativeUrl if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceFileName if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
WebId about.labels.key/value
UserAgent network.http.user_agent
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileRecycled

下表列出了操作“FileRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value
SharingType target.labels.key/value
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

CommentsEnabled

下表列出了操作“CommentsEnabled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

ApplicationDisplayName target.application

FolderRecycled

下表列出了操作“FolderRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value
SharingType target.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value

FileTranscriptRequested

下表列出了操作“FileTranscriptRequested”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value
SharingType target.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value

WACTokenShared

下表列出了操作“WACTokenShared”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value
SharingType target.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value

更新标签

下表列出了操作“Update label.”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

SiteLocksChanged

下表列出了操作“SiteLocksChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteIBModeSet

下表列出了操作“SiteIBModeSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteDesignInvoked

下表列出了操作“SiteDesignInvoked”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

SiteDesignId is mapped to target.resource.attribute.labels.key/value

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteContentTypeCreated

下表列出了操作“SiteContentTypeCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
ListTitle about.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteCollectionQuotaModified

下表列出了操作“SiteCollectionQuotaModified”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

ShortcutAdded

下表列出了操作“ShortcutAdded”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SPOIBIsEnabled

下表列出了操作“SPOIBIsEnabled”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.

WebAccessRequestApproverModified

下表列出了操作“WebAccessRequestApproverModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ModifiedProperties target.labels.key/value

if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid

else

target.labels.key/value

设置 TransportConfig

下表列出了操作“Set-TransportConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
AppId target.labels.key/value
Parameters principal.user.email_addresses

principal.user.userid

If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid

Set-TenantObjectVersion

下表列出了操作“Set-TenantObjectVersion”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

If Name is DomainController then Value is mapped to target.administrative_domain

else

target.labels.key/value

设置收件人强制执行配置政策

下表列出了操作“Set-RecipientEnforcementProvisioningPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

Set-PolicyConfig

下表列出了操作“Set-PolicyConfig”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to ACCESS_POLICY

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

设置 OwaMailboxPolicy

下表列出了操作“Set-OwaMailboxPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

设置邮箱方案

下表列出了操作“Set-MailboxPlan”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

设置标签属性

下表列出了操作“Set-LabelProperties”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value
SessionId network.session_id

设置标签

下表列出了操作“Set-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

target.resource.resource_type is set to SETTING

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.labels.key/value
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

设置 ExchangeAssistanceConfig

下表列出了操作“Set-ExchangeAssistanceConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.url

target.labels.key/value

If Name is PrivacyStatementURL then Value is mapped to target.url

else

target.labels.key/value

设置条件访问政策

下表列出了操作“Set-ConditionalAccessPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.labels.key/value

If Name is DisplayName then Value is mapped to target.resource.name

else

target.labels.key/value

SessionID network.session_id

新建-ConditionalAccessPolicy

下表列出了操作“New-ConditionalAccessPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.labels.key/value

If Name is DisplayName then Value is mapped to target.resource.name

else

target.labels.key/value

SessionID network.session_id

RemovedSearchReport

下表列出了操作“RemovedSearchReport”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

获取隐私管理政策

下表列出了操作“Get-PrivacyManagementPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

设置保留合规性政策

下表列出了操作“Set-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
Parameters target.process.command_line

SearchTrialOffer

下表列出了操作“SearchTrialOffer”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchTIKustoClusterInformation

下表列出了操作“SearchTIKustoClusterInformation”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchMtpRoleInfo

下表列出了操作“SearchMtpRoleInfo”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchMailflowForwardingData

下表列出了操作“SearchMailflowForwardData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchDataInsightsSubscription

下表列出了操作“SearchDataInsightsSubscription”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchCustomerInsight

下表列出了操作“SearchCustomerInsight”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchConnectorReportData

下表列出了操作“SearchConnectorReportData”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchAlertAggregate

下表列出了操作“SearchAlertAggregate”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchAlert

下表列出了操作“SearchAlert”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

启用-AddressListPaging

下表列出了操作“Enable-AddressListPaging”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

安装-AdminAuditLogConfig

下表列出了操作“Install-AdminAuditLogConfig”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

AccessedAggregates

下表列出了操作“AccessedAggregates”和工作负载“Mip”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
DataType security_result.description
version metadata.product_version

AccessedSiteList

下表列出了操作“AccessedSiteList”和工作负载“Mip”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
DataType security_result.description
version metadata.product_version

安装数据分类配置

下表列出了操作“Install-DataClassificationConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

设置统一组

下表列出了操作“Set-UnifiedGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

if ResultStatus is TRUE then

security_result.action is set to ALLOW

else

security_result.action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

SessionId network.session_id

ApplicableAdaptivePolicyChange

下表列出了操作“ApplicableAdaptivePolicyChange”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

ClientApplication principal.application
Version metadata.product_version
ExtendedProperties security_result.detection_fields.key/value.

target.resource.product_object_id

if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value.

if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id

ObjectType security_result.summary

获取 AppReservationComplianceRule

下表列出了操作“Get-App 保留 ComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{:target_resource_product_object_id}\

}

}

新建-App 保留合规性规则

下表列出了操作“New-AppReservationComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId principal.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

target.resource.product_object_id

Extract Policy and Name using grok

Name is mapped to target.resource.name

Policy is mapped to target.resource.product_object_id

StartTime target.resource.attribute.creation_time

新的应用保留合规性政策

下表列出了操作“New-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId principal.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

StartTime target.resource.attribute.creation_time

设置应用保留合规性政策

下表列出了操作“Set-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time

安装默认共享政策

下表列出了操作“Install-DefaultsharingPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

安装资源配置

下表列出了操作“Install-ResourceConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

新邮箱

下表列出了操作“New-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value
SessionId network.session_id

Add-MailboxFolderPermission(添加邮箱文件夹权限)

下表列出了操作“Add-MailboxFolderPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.user.user_display_name

target.user.attribute.permissions.name

target.labels.key/value

If Name is Identity then Value is mapped to target.resource.name

If Name is User then Value is mapped to target.user.user_display_name

If Name is AccessRights then Value is mapped to target.user.attribute.permissions.name

else

target.labels.key/value

新标签政策

下表列出了操作“New-LabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to ACCESS_POLICY

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

新建标签

下表列出了操作“New-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value

获取活动提醒

下表列出了操作“Get-ActivityAlert”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

Get-ProtectionAlert

下表列出了操作“Get-ProtectionAlert”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

SearchComplianceCase

下表列出了操作“SearchComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value
UserServicePlan principal.labels.key/value
version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

移除合规性标记

下表列出了操作“Remove-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

移除了-App 保留合规性政策

下表列出了操作“Remove-App 保留 CompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource_resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

移除保留合规性政策

下表列出了操作“Remove-reservationCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource_resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

新的合规性标记

下表列出了操作“New-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

启用 ComplianceTagStorage

下表列出了操作“Enable-ComplianceTagStorage”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取合规性保留事件类型

下表列出了操作“Get-ComplianceComplianceEventType”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

AggregateActivityData

下表列出了操作“AggregateActivityData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

设置合规性标记

下表列出了操作“Set-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取 FilePlanPropertyStructure

下表列出了操作“Get-FilePlanPropertyStructure”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

新增-Compliance 保留事件类型

下表列出了操作“New-ComplianceKeepEventType”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is mapped to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

target_resource_name is mapped to target.resource.name

UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取 DlpSensitiveInformationTypeRulePackage

下表列出了操作“Get-DlpSensitiveInformationTypeRulePackage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取合规性保留事件

下表列出了操作“Get-ComplianceKeepEvent”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

ComplianceSecurityFilter

下表列出了操作“ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取隔离邮件

下表列出了操作“Get-QuarantineMessage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

AggregateThreatProfileDetails

下表列出了操作“AggregateThreatProfileDetails”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

获取 DlpDetectionsReport

下表列出了操作“Get-DlpDetectionsReport”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取应用保留合规性政策

下表列出了操作“Get-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

添加角色群组成员

下表列出了操作“Add-RoleGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
SessionId network.session_id

更新-角色组成员

下表列出了操作“Update-RoleGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
SessionId network.session_id

新建角色群组

下表列出了操作“New-RoleGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value
SessionId network.session_id
ClientAppId target.labels.key/value

配置合规性邮箱文件夹

下表列出了操作“Provision-ComplianceMailboxFolder”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters target.resource.product_object_id

target.labels.key/value

need to discuss mapping of MultiStageReviewFolderSetting in parameter fields

If Name is FolderName then Value is mapped to target.resource_product_object_id

else

target.labels.key/value

移除邮箱

下表列出了操作“移除邮箱”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters target.resource.name

target.labels.key/value

If Name is Identity then Value is mapped to target.resource.name

else

target.labels.key/value

新隔离政策

下表列出了操作“New-QuarantinePolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters target.resource.name

target.labels.key/value

If Name is Name then Value is mapped to target.resource.name

All other parameters will map with

target.labels.key/value

SessionId network.session_id

获取角色群组

下表列出了操作“Get-RoleGroup”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

SearchLabelAnalyticsActivityData

下表列出了操作“SearchLabelAnalyticsActivityData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters about.labels.key/value
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

可获取 DlpCompliancePolicy

下表列出了操作“Get-DlpCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
UserServicePlan principal.labels.key/value

SearchSecurityRedirection

下表列出了操作“SearchSecurityRedirection”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters about.labels.key/value
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

获取合规性案例成员

下表列出了操作“Get-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

HoldViewed

下表列出了操作“HoldViewed”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is HoldId then ID is mapped to about.labels.key/value

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

获取 eDiscoveryCaseAdmin

下表列出了操作“Get-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取角色群组成员

下表列出了操作“Get-RoleGroupMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取管理角色

下表列出了操作“Get-ManagementRole”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

设置角色群组

下表列出了操作“Set-RoleGroup”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.group.group_display_name

target.process.command_line

Extract DisplayName using grok

Name is mapped totarget.group.group_display_name

Version metadata.product_version
ResultCountSecurityComplianceCenterEventType about.labels.key/value

获取 SecurityPrincipal

下表列出了操作“Get-SecurityPrincipal”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

Get-CaseHoldRule

下表列出了操作“Get-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

ViewedSearchReport

下表列出了操作“ViewedSearchReport”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.summary
ExtendedProperties target.resource.product_object_id

about.labels.key/value

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is SearchIds then ID is mapped to about.labels.key/value

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

获取 AdaptiveScope

下表列出了操作“Get-AdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取保留合规性政策

下表列出了操作“Get-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

新的保留合规性政策

下表列出了操作“New-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

新建保留合规性规则

下表列出了操作“New-保留 ComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取合规性标记

下表列出了操作“Get-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

设置保留合规性规则

下表列出了操作“Set-ReserveComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取监管合规性界面

下表列出了操作“Get-RegulatoryComplianceUI”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

获取保留合规性规则

下表列出了操作“Get-keepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

New-AdaptiveScope

下表列出了操作“New-AdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

启用-AdaptiveScopeStorage

下表列出了操作“Enable-AdaptiveScopeStorage”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

SearchCustomTag

下表列出了操作“SearchCustomTag”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters about.labels.key/value
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

设置监管合规性界面

下表列出了操作“Set-RegulatoryComplianceUI”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version

RemoveRetentionComplianceRule

下表列出了操作“RemoveComplianceComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

The name and value for the parameters that were used with the corresponding cmdlet.

Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary

NewAdaptiveScope

下表列出了操作“NewAdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Parameters principal.process.command_line

The name and value for the parameters that were used with the corresponding cmdlet.

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
ObjectType security_result.summary
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

CommentCreated

下表列出了操作“CommentCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
CommentId about.labels.key/value

DeviceAccessPolicyChanged

下表列出了操作“DeviceAccessPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ModifiedProperties target.labels.key/value

HeartBeat

下表列出了操作“HeartBeat”和工作负载“Aip”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

Version metadata.product_version

MessageCreation

下表列出了操作“MessageCreation”和工作负载“Yammer”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version
MessageID target.resource.product_object_id

ThreadViewed

下表列出了操作“ThreadViewed”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version
ThreadID about.labels.key/value

StreamEditAdminGlobalRoleMembers

下表列出了操作“StreamEditAdminGlobalRoleMembers”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeGetTextTrack

下表列出了操作“StreamInvokeGetTextTrack”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeChannelView

下表列出了操作“StreamInvokeChannelView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoMakePublic

下表列出了操作“StreamInvokeVideoMakePublic”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeGroupView

下表列出了操作“StreamInvokeGroupView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

设置在线目录租户

下表列出了操作“Set-CsOnlineDirectoryTenant”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.labels.key/value
SkypeForBusinessEventType about.labels.key/value
TenantName target.resource.product_object_id
Version metadata.product_version

设置 CSS 托管语音信箱政策

下表列出了操作“Set-CsHostedVoicemailPolicy”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.administrative_domain

target.url

target.labels.key/value

If Name is Organization then Value is mapped to target.administrative_domain

If Name is Destination then Value is mapped to target.url

else

target.labels.key/value

SkypeForBusinessEventType about.labels.key/value
TenantName target.resource.product_object_id
Version metadata.product_version

获取 CSSimpleUrlConfiguration

下表列出了操作“Get-CSSimpleUrlConfiguration”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.administrative_domain

target.labels.key/value

If Name is Organization then Value is mapped to target.administrative_domain

else

target.labels.key/value

SkypeForBusinessEventType about.labels.key/value
TenantName target.resource.product_object_id
Version metadata.product_version

新建-ExchangeAssistanceConfig

下表列出了操作“New-ExchangeAssistanceConfig”和工作负载“Exchange”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value

新建应用

下表列出了操作“New-App”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value
SessionId network.session_id

PublishToWebReport

下表列出了操作“PublishToWebReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value
ActivityId principal.labels.key/value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value

UpdateGateway

下表列出了操作“UpdateGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value
RequestId about.labels.key/value
GatewayId target.resource.product_object_id

ShareDataset

下表列出了操作“ShareDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
ArtifactId target.resource.product_object_id
ArtifactName target.resource.name
RequestId about.labels.key/value
ActivityId principal.labels.key/value
UserAgent network.http.user_agent
SharingAction about.labels.key/value

GetRefreshablesAsAdmin

下表列出了操作“GetRefreshablesAsAdmin”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value

CreateTagJob

下表列出了操作“CreateTagJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
CaseID target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
ExtendedProperties target.resource.attribute.labels.key/value
StartTime target.resource.attribute.creation_time

添加委托授予权限

下表列出了操作 Add delegated permission grant 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summary

If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DelegatedPermissionGrant.Scope then NewValue and OldValue is mapped to target.resource.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.uset.userid or target.user.email_addresses

TargetContextId target.labels.key/value

向服务主账号添加应用角色分配

下表列出了“向服务主账号添加应用角色分配”操作和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summary

If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

应用更新

下表列出了操作“Update to application”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

更新应用 - 证书和密钥管理

下表列出了操作 Update application – Certificates and secrets management 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

if ObjectId has unique field in the log then and then only it will be mapped.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is RequiredResourceAccess then New Value and Old Value is mapped with target.resource.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

向应用添加所有者

下表列出了“将所有者添加到应用”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Application.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.labels.key/value
TargetContextId target.labels.key/value

添加到应用

下表列出了操作“添加到应用”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

添加设备配置

下表列出了“添加设备配置”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

添加未经验证的域名

下表列出了操作“添加未验证的网域”和工作负载“AzureActiveDirectory”的操作日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.name

security_result.summary

If Name is Name then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

添加政策

下表列出了操作“添加政策”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target security_result.detection_fields.key/value
TargetContextId target.labels.key/value

CreateResponse

下表列出了操作“CreateResponse”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

EditForm

下表列出了操作“EditForm”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

SubmitResponse

下表列出了操作“SubmitResponse”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ViewResponses

下表列出了操作“ViewResponses”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ViewRuntimeForm

下表列出了操作“ViewRuntimeForm”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

DeleteFlow

下表列出了操作“DeleteFlow”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
FormsUserTypes target.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ListViewed

下表列出了操作“ListViewed”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
ItemCount target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
TemplateTypeId about.labels.key/value

ListColumnUpdated

下表列出了操作“ListColumnUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value

ListContentTypeUpdated

下表列出了操作“ListContentTypeUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value

ListItemDeleted

下表列出了操作“ListItemDeleted”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListTitle about.labels.key/value
WebId about.labels.key/value

ListUpdated

下表列出了操作“ListUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
TemplateTypeId about.labels.key/value
ApplicationDisplayName target.application
ItemCount target.labels.key/value

ListItemCreated

下表列出了操作“ListItemCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
TemplateTypeId about.labels.key/value
ItemCount target.labels.key/value

ListColumnCreated

下表列出了操作“ListColumnCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
TemplateTypeId about.labels.key/value
ItemCount target.labels.key/value

SiteContentTypeUpdated

下表列出了操作“SiteContentTypeUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value

ListItemViewed

下表列出了操作“ListItemViewed”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
ItemCount target.labels.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
ListItemUniqueId principal.asset_id

ListItemUpdated

下表列出了操作“ListItemUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value
WebId about.labels.key/value
target.file.size target.labels.key/value
ListBaseTemplateType target.labels.key/value
ListBaseType target.labels.key/value
ListColor target.labels.key/value
ListIcon target.labels.key/value
ListItemUniqueId principal.asset_id

FileRenamed

下表列出了操作“FileRenamed”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileType target.resource.attribute.labels.key/value
PreviousFileName src.file.full_path
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path

UpdatePowerApp

下表列出了操作“UpdatePowerApp”和工作负载“PowerApps”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value
Id metadata.product_log_id

SubscribedToMessages

下表列出了操作“SubscribedToMessages”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ExtraProperties additional.fields.key/value.string_value
SubscriptionId target.resource.attribute.labels.key/value
OperationScope about.labels.key/value
Version metadata.product_version

MessageCreatedNotification

下表列出了操作“MessageCreatedNotification”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
MessageVersion target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

OperationScope about.labels.key/value
Version metadata.product_version

MessageUpdatedNotification

下表列出了操作“MessageUpdatedNotification”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
MessageVersion target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

OperationScope about.labels.key/value
Version metadata.product_version

下表列出了操作“MessageCreatedHasLink”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value
ExtraProperties additional.fields.key/value.string_value
MessageVersion target.resource.attribute.labels.key/value
OperationScope about.labels.key/value
Version metadata.product_version

MessagesListed

下表列出了操作“MessagesListed”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ChannelGuid target.resource.product_object_id
AADGroupId target.labels.key/value
CommunicationType about.labels.key/value
OperationScope about.labels.key/value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

PerformedCardAction

下表列出了操作“PerformedCardAction”和工作负载“MicrosoftTeams”的日志字段以及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
CommunicationType about.labels.key/value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

下表列出了操作“MessageEditedHasLink”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value
ExtraProperties additional.fields.key/value.string_value
MessageVersion target.resource.attribute.labels.key/value
OperationScope about.labels.key/value
Version metadata.product_version

MeetingParticipantDetail

下表列出了操作“MeetingPARTICIPANTDetail”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Attendees about.resource.product_object_id

about.user.product_object_id

about.user.attribute.roles.name

OrganizationId is mapped to about.resource.product_object_id

Role is mapped to about.user.attribute.roles.name

UserObjectId is set to about.user.product_object_id

ExtraProperties additional.fields.key/value.string_value
JoinTime target.resource.attribute.creation_time
LeaveTime target.resource.attribute.last_update_time
MeetingDetailId target.resource.product_object_id
Version metadata.product_version

MeetingDetail

下表列出了操作“MeetingDetail”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
StartTime target.resource.attribute.creation_time
EndTime target.resource.attribute.last_update_time
ExtraProperties additional.fields.key/value.string_value
MeetingURL target.url
MessageId target.resource.product_object_id
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value
Modalities security_result.summary
Organizer principal.user.product_object_id
Version metadata.product_version

MessageUpdated

下表列出了操作“MessageUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ExtraProperties additional.fields.key/value.string_value
MessageVersion target.resource.attribute.labels.key/value
MessageId target.resource.product_object_id
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value
Version metadata.product_version

AggregateTransportQueueData

下表列出了操作“AggregateTransportQueueData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AuthorizeCustomerInsight

下表列出了操作“AuthorizeCustomerInsight”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AuthorizeConnectorReportData

下表列出了操作“AuthorizeConnectorReportData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchAlertOverride

下表列出了操作“SearchAlertOverride”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AuthorizeMailflowForwardingData

下表列出了操作“AuthorizeMailflowForwardData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchDomainTrafficStatus

下表列出了操作“SearchDomainTrafficStatus”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchAlertActivity

下表列出了操作“SearchAlertActivity”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AggregateMailmetadata

下表列出了操作“AggregateMailmetadata”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

InsightGenerated

下表列出了操作“InsightGenerated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
Category security_result.category_details
Description security_result.description
InsightId target.resource.product_object_id
Name target.resource.name
Version metadata.product_version

UserSubmission

下表列出了操作“UserSubmission”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED

security_result.category is MAIL_SPAM

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
ClientApplication principal.application
KesMailId network.email.mail_id
ExtendedProperties security_result.rule_name

security_result.rule_id

security_result.category_details

SubmissionSource is mapped to security_result.rule_name

SubmissionId is mapped to security_result.rule_id

SubmissionCategory is mapped to security_result.category_details

P1SenderDomain principal.administrative_domain
Recipients network.email.to
SenderIP principal.ip
Subject network.email.subject
P2Sender network.email.from
SubmissionState security_result.summary
P1Sender principal.user.email_addresses
Version metadata.product_version

SaveRoleGroupMember

下表列出了操作“SaveRoleGroupMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AggregateCampaignIntelligenceData

下表列出了操作“AggregateCampaignIntelligenceData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchEmailTimelineEvents

下表列出了操作“SearchEmailTimelineEvents”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

SearchAlertStory

下表列出了操作“SearchAlertStory”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

AggregateThreatDetailsBulk

下表列出了操作“AggregateThreatDetailsBulk”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

获取用户

下表列出了操作“Get-User”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

Get-DlpComplianceRule

下表列出了操作“Get-DlpComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value

AnalyzedByExternalApplication

下表列出了操作“AnalyzedByExternalApplication”和工作负载“Power BI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.name
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
SwitchState about.labels.key/value
ActivityId principal.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value

新的迁移批次

下表列出了操作“New-MigrationBatch”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.administrative_domain

target.resource.attribute.key/value

If Name is Name then Value is mapped to target.resource.name

if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain

If Name is AutoStart then Value is mapped to target.resource.attribute.key/value

If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value

SessionId network.session_id

UserSubmissionTriage

下表列出了操作“UserSubmissionTriage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED

security_result.category is set to MAIL_SPAM

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters about.labels.key/value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties security_result.rule_name

security_result.rule_id

security_result.category_details

SubmissionSource is mapped to security_result.rule_name

SubmissionId is mapped to security_result.rule_id

SubmissionCategory is mapped to security_result.category_details

GradingResult security_result.category_details
KesMailId network.email.mail_id
P1Sender principal.user.email_addresses
P1SenderDomain principal.administrative_domain
P2Sender network.email.from
Recipients network.email.to
SenderIP principal.ip
Subject network.email.subject
SubmissionState security_result.summary

FileArchived

下表列出了操作“FileArchive”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

FileCreatedOnNetworkShare

下表列出了操作“FileCreatedOnNetworkShare”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATION
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

FileCreatedOnRemovableMedia

下表列出了操作“FileCreatedOnRemovableMedia”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATION
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

SlimFilePrinted

下表列出了操作“SlimFilePrinted”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

target.asset.type is PRINTER

Application target.application
DeviceName target.hostname
FileType target.resource.attribute.labels.key/value
TargetPrinterName target.asset.hostname
Version metadata.product_version

FilePrinted

下表列出了操作“FilePrinted”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

target.asset.type is PRINTER

Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetPrinterName target.asset.hostname
Version metadata.product_version
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
PreviousFileName src.file.full_path
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

ArchiveCreated

下表列出了操作“ArchiveCreated”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

FileDownloadedFromBrowser

下表列出了操作“FileDownloadedFromBrowser”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Application target.application
DestinationLocationType target.labels.key/value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value
TargetFilePath target.file.full_path
Version metadata.product_version

为用户创建应用专用密码

下表列出了“为用户创建应用密码”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

SearchNdrDetailData

下表列出了操作“SearchNdrDetailData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value
AadAppId target.labels.key/value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value

MessageUpdated

下表列出了操作“MessageUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

访问权限

下表列出了操作“访问”和工作负载“Aip”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is set to target.file.full_path

Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

DataState security_result.summary
Version metadata.product_version

探索

下表列出了操作“Discover”和工作负载“Aip”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is set to target.file.full_path

Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

DataState security_result.summary
Version metadata.product_version

TIUrlClickData

下表列出了操作“TIUrlClickData”和工作负载“ThreatIntelligence”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.application
AppVersion metadata.product_version
EventDeepLink metadata.url_back_to_product
SourceId AppName is Mail then SourceId is mapped to network.email.id
Url target.url
UserIp principal.ip
Version metadata.product_version

设备已不再受管理

下表列出了操作“设备已不再进行管理”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is set to DEVICE

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.asset.product_object_id

target.platform

If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id

If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

AirInvestigationData

下表列出了操作“AirInvestigationData”和工作负载“AirInvestigation”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

LastUpdateTimeUtc target.resource.attribute.last_update_time
Status security_result.summary
InvestigationId target.resource.product_object_id
InvestigationType target.resource.attribute.labels.key/value
Data security_result.description

security_result.category_details

network.email.to

network.email.from

network.email.mail_id

network.email.subject

network.direction

principal.ip

principal.administrative_domain

principal.user.email_addresses

Data.Description is mapped to security_result.description

Data.Category is mapped to security_result.category_details

Data.Entities.1.Recipient is mapped to network.email.to

Data.Entities.1.Sender is mapped to network.email.from

Data.Entities.1.InternetMessageId is mapped to network.email.mail_id

Data.Entities.1.Subject is mapped to network.email.subject

Data.Entities.1.AntispamDirection is mapped to network.direction

Data.Entities.1.SenderIP is mapped to principal.ip

Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain

Data.Entities.1.P1Sender is mapped to principal.user.email_addresses

InvestigationName target.resource.name
StartTimeUtc target.resource.attribute.creation_time
Version metadata.product_versionn
DeepLinkUrl metadata.url_back_to_product

设置邮箱 JunkEmailConfiguration

下表列出了操作“Set-MailboxJunkEmailConfiguration”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
AppId target.labels.key/value
ClientAppId target.labels.key/value
Parameters target.user.email_addresses

If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated)

SessionId network.session_id
Version metadata.product_version

新分发组

下表列出了操作“New-DistributionGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

security_result.description

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Member then Value is mapped to security_result.description

else

target.group.attribute.labels.key/value

SessionId network.session_id

添加-分发组成员

下表列出了操作“Add-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

else

target.group.attribute.labels.key/value

SessionId network.session_id

移除收件箱规则

下表列出了操作“Remove-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

ObjectId is set to target.group.product_object_id

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.rule_labels.key/value
SessionId network.session_id

启用-邮箱

下表列出了操作“Enable-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.resource.attribute.labels.key/value

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value

SessionId network.session_id

导入

下表列出了操作“导入”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
SwitchState about.labels.key/value
ImportSource about.labels.key/value
ImportType target.file.mime_type
ImportDisplayName target.file.full_path

设备不再合规

下表列出了操作“设备不再符合规定”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to DEVICE

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.resource.product_object_id

If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id

If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

启用账号

下表列出了操作 Enable account 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

添加服务主账号凭据

下表列出了“添加服务主账号凭据”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

设置同步用户

下表列出了操作“Set-SyncUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

SessionId network.session_id

MessageSent

下表列出了操作“MessageSent”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageSizeInBytes target.resource.attribute.labels.key/value
ChannelGuid target.labels.key/value
OperationScope about.labels.key/value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
AADGroupId target.labels.key/value
CommunicationType about.labels.key/value
MessageId target.resource.product_object_id
Version metadata.product_version
MessageVersion target.resource.attribute.labels.key/value

移除服务主账号凭据

下表列出了操作“移除服务主凭据”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

移除-移动请求

下表列出了操作“Remove-MoveRequest”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.resource.attribute.labels.key/value

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value

StreamInvokeGetTranscript

下表列出了操作“StreamInvokeGetTranscript”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

从群组中移除所有者

下表列出了操作“从群组中移除所有者”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

向群组添加应用角色分配

下表列出了“向群组添加应用角色分配”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

target.group.group_display_name

If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id

If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

停用邮件用户

下表列出了操作“Disable-MailUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is True Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

新建 - FolderMoveRequest

下表列出了操作“New-FolderMoveRequest”和工作负载“Exchange”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value
ClientAppId target.labels.key/value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters If Name is Name then Value is mapped to target.resource.name

If Name is DomainController then Value is mapped to target.administrative_domain

If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value

向政策添加所有者

下表列出了“将所有者添加到政策”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id

If Name is Policy.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value

EditContentProviderProperties

下表列出了操作“EditContentProviderProperties”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
SwitchState about.labels.key/value
ContentProviderCertificationStage security_result.summary
AppId target.labels.key/value
RequestId about.labels.key/value

ReportingAccessed

下表列出了操作“ReportingAccessed”和工作负载“Project”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

GroupAccessFailure

下表列出了操作“GroupAccessFailure”和工作负载“Yammer”的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description is set to IsSoftDelete - {IsSoftDelete}
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value
VersionId about.labels.key/value
Version metadata.product_version

FileSensitivityLabelChanged

下表列出了操作 FileSensitivityLabelChanged 和工作负载 SharePoint/OneDrive 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

ObjectId is mapped to target.file.full_path

AppAccessContext.CorrelationId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value
DestinationFileExtension target.file.mime_type
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationLabel target.labels
EventSource principal.application
HighPriorityMediaProcessing about.labels
IsManagedDevice about.labels
ItemType target.resource.attribute.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
SensitivityLabelEventData.ActionSource principal.labels.key/value
SensitivityLabelEventData.LabelEventType target.labels.key/value
SensitivityLabelEventData.OldSensitivityLabelId target.resource.product_object_id
SensitivityLabelEventData.OldSensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}
SourceRelativeUrl src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}
SourceLabel src.labels.key/value
UserAgent network.http.user_agent
UserKey target.labels
Version metadata.product_version
WebId about.labels.key/value

FileRead

下表列出了操作 FileRead 和工作负载 Endpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_READ

ObjectId is mapped to target.url

Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode target.labels
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
PolicyMatchInfo target.resource.product_object_id

security_result.summary

security_result.rule_id

security_result.rule_name

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

RMSEncrypted security_result.detection_fields.key/value
SensitiveInfoTypeData security_result.detection_fields.key/value

security_result.confidence_details

SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value

MessageReadReceiptReceived

下表列出了操作 MessageReadReceiptReceived 和工作负载 MicrosoftTeams 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value
MessageId target.resource.product_object_id
MessageVersion target.resource.attribute.labels.key/value
MessageVisibilityTime target.resource.attribute.labels.key/value
ParticipantInfo.HasForeignTenantUsers security_result.detection_fields.key/value
ParticipantInfo.HasGuestUsers security_result.detection_fields.key/value
ParticipantInfo.HasOtherGuestUsers security_result.detection_fields.key/value
ParticipantInfo.HasUnauthenticatedUsers security_result.detection_fields.key/value
ParticipantInfo.ParticipatingTenantIds security_result.detection_fields.key/value

下表列出了操作 Search 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED
AadAppId target.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value
Version metadata.product_version
DataType security_result.description

TaskDeleted

下表列出了操作 TaskDeleted 和工作负载 MicrosoftTodo 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value
TargetActorTenantId target.labels.key/value

TaskUpdated

下表列出了操作 TaskUpdated 和工作负载 MicrosoftTodo 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value
TargetActorTenantId target.labels.key/value

TaskCreation

下表列出了操作 TaskCreation 和工作负载 MicrosoftTodo 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value
TargetActorTenantId target.labels.key/value

SecurityGroupModified

下表列出了操作 SecurityGroupModified 和工作负载 Project 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
UserKey target.labels
Version metadata.product_version
AppAccessContext.UniqueTokenId target.labels
AppAccessContext.CorrelationId security_result.detection_fields.key/value

LaunchPowerApp

下表列出了操作 LaunchPowerApp 和工作负载 PowerApps 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value
Version metadata.product_version

DeleteDatasetRows

下表列出了操作 DeleteDatasetRows 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION.

If ResultStatus is TRUE then Action is set to ALLOW and security_result.summary is set to DataSetRow deletion successful

else Action is set to BLOCK and security_result.summary is set to DataSetRow deletion failed.

UserAgentnetwork.http.user_agent
WorkSpaceNametarget.resource.attribute.labels.key/value
DatasetNametarget.resource.attribute.labels.key/value
WorkspaceIdtarget.resource.attribute.labels.key/value
DatasetIdtarget.resource.product_object_id
DataConnectivityModetarget.resource.attribute.labels.key/value
ArtifactIdtarget.resource.attribute.labels.key/value
RequestIdabout.labels.key/value
ActivityIdprincipal.labels.key/value
TableNametarget.resource.attribute.labels.key/value
LastRefreshTimeabout.labels.key/value
ArtifactKindtarget.resource.attribute.labels.key/value

新增-Dlp 合规性政策

下表列出了操作 New-DlpCompliancePolicy 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplicationprincipal.labels.key/value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels
UserServicePlanprincipal.labels.key/value
Versionmetadata.product_version

新建-DlpComplianceRule

下表列出了操作 New-DlpComplianceRule 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplicationprincipal.labels.key/value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels
UserServicePlanprincipal.labels.key/value
Versionmetadata.product_version

获取内部风险政策

下表列出了操作 Get-InsiderRiskPolicy 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.
ClientApplicationprincipal.labels.key/value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels
UserServicePlanprincipal.labels.key/value
Versionmetadata.product_version

设置 HostingContentFilterPolicy

下表列出了操作 Set-HostedContentFilterPolicy 和工作负载 Exchange 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to SETTING.

If ResultStatus is TRUE then Action is set to ALLOW

else Action is set to BLOCK.

ExternalAccessabout.labels.key/value
ObjectIdtarget.resource.product_object_id
Versionmetadata.product_version
Parameterstarget.resource.attribute.labels.key/value
UserKeytarget.labels.key/value

启用强式身份验证。

下表列出了操作 Enable Strong Authentication. 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
ExtendedPropertiesIf Name is equal to additionalDetails then User-Agent is mapped with network.http.user_agent

else if Name is equal to extendedAuditEventCategory then User-Agent is mapped with target.resource.attribute.labels.key/value

else User-Agent is mapped with about.labels.key/value.

ModifiedPropertiesIf Name is equal to Included Updated Properties then NewValue is mapped with security_result.summary

else User-Agent is mapped with target.labels.key/value.

ReactedToMessage

下表列出了操作 ReactedToMessage 和工作负载 MicrosoftTeams 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.IssuedAtTimetarget.labels.key/value
AppAccessContext.UniqueTokenIdtarget.labels.key/value
ChatThreadIdtarget.user.group_identifiers
ChatThreadIdtarget.group.product_object_id
MessageReactionTypetarget.resource.attribute.labels.key/value
ChatNametarget.group.group_display_name
MessageIdtarget.resource.product_object_id
ParticipantInfo.HasForeignTenantUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasGuestUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasOtherGuestUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasUnauthenticatedUserssecurity_result.detection_fields.key/value
ParticipantInfo.ParticipatingTenantIdssecurity_result.detection_fields.key/value

RemovableMediaUnmount

下表列出了操作 RemovableMediaUnmount 和工作负载 Endpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
MDATPDeviceIdtarget.asset.asset_id
Platformtarget.labels.key/value
Scopetarget.labels.key/value
RemovableMediaDeviceAttributes.Manufacturertarget.asset.hardware.manufacturer
RemovableMediaDeviceAttributes.Modeltarget.asset.hardware.model
RemovableMediaDeviceAttributes.SerialNumbertarget.asset.hardware.serial_number

FileUploadedToCloud

下表列出了操作 FileUploadedToCloud 和工作负载 Endpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC.
DlpAuditEventMetadata.DlpPolicyMatchIdsecurity_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTimesecurity_result.detection_fields.key/value
EnforcementModetarget.labels.key/value
EvidenceFile.FullUrltarget.file.full_path
EvidenceFile.StorageNametarget.file.names
Hiddensecurity_result.detection_fields.key/value
JitTriggeredsecurity_result.detection_fields.key/value
MDATPDeviceIdsecurity_result.detection_fields.key/value
SensitiveInfoTypeData.Countsecurity_result.detection_fields.key/value
SensitiveInfoTypeData.Confidencesecurity_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInfoTypeNamesecurity_result.detection_fields.key/value
TargetPrinterNametarget.asset.hostname
target.asset.type is set to PRINTER
TargetDomaintarget.labels.key/value

GenerateDataflowSasToken

下表列出了操作 GenerateDataflowSasToken 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS.
DataflowAccessTokenRequestParameters.entityNameprincipal.labels.key/value
DataflowAccessTokenRequestParameters.partitionUriprincipal.labels.key/value
DataflowAccessTokenRequestParameters.permissionsprincipal.labels.key/value
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutesprincipal.labels.key/value
DataflowIdtarget.resource.product_object_id
DataflowNametarget.resource.name
IsSuccess

If IsSuccess is TRUE then Action is set to ALLOW

else Action is set to BLOCK.

ItemNametarget.labels.key/value

GenerateScreenshot

下表列出了操作 GenerateScreenshot 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

MDCAssessments

下表列出了操作 MDCAssessments 和工作负载 CompliancePostureManagement 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
PropertyBag.AssessmentStatusPerInitiative.ArnEventIdabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.CloudProviderabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.CustomerResourceIdabout.resource.product_object_id
PropertyBag.AssessmentStatusPerInitiative.EventTypeabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeIdabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeNameabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.ResourceNameabout.resource.name
PropertyBag.AssessmentStatusPerInitiative.ResourceTypeabout.resource.resource_subtype
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentIdabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDateabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.StatusCodeabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDateabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.SubscriptionIdabout.labels.key/value
PropertyBag.AssessmentStatusPerInitiative.SubscriptionNameabout.labels.key/value
PropertyBag.DataTypeabout.labels.key/value

RemovableMediaMount

下表列出了操作 RemovableMediaMount 和工作负载 Endpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
MDATPDeviceIdtarget.asset.asset_id
Platformtarget.labels.key/value
Scopetarget.labels.key/value
RemovableMediaDeviceAttributes.Manufacturertarget.asset.hardware.manufacturer
RemovableMediaDeviceAttributes.Modeltarget.asset.hardware.model
RemovableMediaDeviceAttributes.SerialNumbertarget.asset.hardware.serial_number

SignInEvent

下表列出了操作 SignInEvent 和工作负载 SharePoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
AuthenticationTypeprincipal.labels.key/value
BrowserNameprincipal.labels.key/value
BrowserVersionprincipal.labels.key/value
DeviceDisplayNameprincipal.labels.key/value
IsManagedDeviceprincipal.labels.key/value

ApprovedRequest

下表列出了操作 ApprovedRequest 和工作负载 MicrosoftTeams 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
ItemNametarget.labels.key/value

CreateForm

下表列出了操作 CreateForm 和工作负载 MicrosoftForms 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.
FormsUserTypetarget.labels.key/value
SourceAppprincipal.application

ListForms

下表列出了操作 ListForms 和工作负载 MicrosoftForms 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.

MDCRegulatoryComplianceAssessments

下表列出了操作 MDCRegulatoryComplianceAssessments 和工作负载 CompliancePostureManagement 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
PropertyBag.DataTypeabout.labels.key/value
PropertyBag.Policy.ArnEventIdabout.labels.key/value
PropertyBag.Policy.Descriptionabout.labels.key/value
PropertyBag.Policy.DetailsLinkabout.labels.key/value
PropertyBag.Policy.EventTimeabout.labels.key/value
PropertyBag.Policy.EventTypeabout.labels.key/value
PropertyBag.Policy.PolicyInitiativeIdabout.labels.key/value
PropertyBag.Policy.PolicyInitiativeNameabout.labels.key/value

PreviewForm

下表列出了操作 PreviewForm 和工作负载 MicrosoftForms 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS.

ViewedApprovalRequest

下表列出了操作 ViewedApprovalRequest 和工作负载 MicrosoftTeams 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
ItemNametarget.labels.key/value

ListCreated

下表列出了操作 ListCreated 和工作负载 SharePoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.UniqueTokenIdtarget.labels.key/value
ListColortarget.labels.key/value
ListIcontarget.labels.key/value

SiteColumnCreated

下表列出了操作 SiteColumnCreated 和工作负载 OneDrive 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
ObjectIdtarget.resource.product_object_id

ListViewUpdated

下表列出了操作 ListViewUpdated 和工作负载 SharePoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.UniqueTokenIdtarget.labels.key/value
AuthenticationTypeprincipal.labels.key/value
BrowserNameprincipal.labels.key/value
BrowserVersionprincipal.labels.key/value
CustomizedDoclibprincipal.labels.key/value
DeviceDisplayNameprincipal.labels.key/value
FromAppprincipal.labels.key/value
IsManagedDeviceprincipal.labels.key/value
ItemCounttarget.labels.key/value
ItemTypetarget.resource.attribute.labels.key/value
ListBaseTemplateTypetarget.labels.key/value
ListBaseTypetarget.labels.key/value
ListColortarget.labels.key/value
ListIcontarget.labels.key/value
ListIdsecurity_result.detection_fields.key/value
ListTitleabout.labels.key/value
ObjectIdtarget.url
Platformtarget.labels.key/value
RecordTypesecurity_result.detection_fields.key/value
Sitetarget.labels.key/value
Sourcesecurity_result.description
TemplateTypeIdabout.labels.key/value
WebIdabout.labels.key/value

TeamsUserSignedOut

下表列出了操作 TeamsUserSignedOut 和工作负载 MicrosoftTeams 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_LOGOUT.
extension.auth.auth_type is mapped to SSO.
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers
DeviceInformation principal.labels.key/value
ItemName target.labels.key/value
MessageId target.labels.key/value
MessageVersion target.labels.key/value
ObjectId target.labels.key/value
TeamGuid target.group.product_object_id
TeamName target.group.group_display_name
UserKey target.labels.key/value
UserType target.user.attribute.roles
Version metadata.product_version

GetWorkspaces

下表列出了操作 GetWorkspaces 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Activity about.labels.key/value
ActivityId about.labels.key/value
AggregatedWorkspaceInformation.WorkspaceCount target.labels.key/value
AggregatedWorkspaceInformation.WorkspacesByCapacitySku target.labels.key/value
AggregatedWorkspaceInformation.WorkspacesByType target.labels.key/value
IsSuccess security_result.action
UserAgent network.http.user_agent

ConnectFromExternalApplication

下表列出了操作 ConnectFromExternalApplication 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Activity about.labels.key/labels
CustomData about.labels.key/value

TaskListRead

下表列出了操作 TaskListRead 和工作负载 Planner 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
UserKey principal.labels.key/labels
ObjectId target.labels.key/labels
TaskList target.labels.key/value

PutConnection

下表列出了操作 PutConnection 和工作负载 PowerApps 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ObjectId target.labels.key/value
Version metadata.product_version
AdditionalInfo.actionName security_result.detection_fields.key/value
ResourceId target.labels.key/value
UserKey target.label.key/value
AdditionalInfo.environmentName target.labels.key/value

AdminSubmissionTablAllow

下表列出了操作 AdminSubmissionTablAllow 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT.
SubmissionContent security_result.detection_fields.key/value
SubmissionContentType security_result.detection_fields.key/value
ObjectId target.labels.key/value
Recipients network.email.to
SubmissionState security_result.summary
SubmissionId security_result.detection_fields.key/value
ExtendedProperties principal.labels.key/value

about.labels.key/value

If Name is AdminReviewTime or AdminReviewResult then Value is mapped toprincipal.labels.key/value.

Else about.labels.key/value.

SubmissionConfidenceLevel security_result.detection_fields.key/value
SubmissionType security_result.detection_fields.key/value
MessageDate about.labels.key/value
P1SenderDomain principal.administrative_domain
UserKey target.label.key/value
P2SenderDomain about.administrative_domain
Subject network.email.subject
Version metadata.product_version

添加联系人。

下表列出了操作 Add contact. 和工作负载 AzureActiveDirectory 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION.

target.resource.resource_subtype is set to Contact.

ObjectId target.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
ActorContextId principal.labels.key/value
SupportTicketId about.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
TargetContextId target.labels.key/value
UserKey target.label.key/value
Target security_result.detection_fields.key/value
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
Actor security_result.detection_fields.key/value
Version metadata.product_version
ExtendedProperties target.resource.attribute.labels.key/value

about.labels.key/value

If Name is extendedAuditEventCategory then Value is mapped to target.resource.attribute.labels.key/value.

Else about.labels.key/value.

ModifiedProperties target.resource.name

target.resource.attribute.labels.key/value

security_result.detection_fields.key/value

security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary and OldValue is mapped to security_result.detection_field.key/value.

Else if Name is DisplayName then NewValue is mapped to target.resource.name and OldValue is mapped to target.resource.attribute.key/value.

Else target.resource.attribute.labels.key/value.

WorkspacePortalUrlReceived

下表列出了操作 WorkspacePortalUrlReceived 和工作负载 MicrosoftDefenderForIdentity 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultDescription security_result.detection_fields.key.value
UserKey target.labels.key/value

PutConnectionPermission

下表列出了操作 PutConnectionPermission 和工作负载 PowerApps 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE.

target.resource.resource_type is set to SETTING.

ObjectId target.labels.key/value
Version metadata.product_version
AdditionalInfo.actionName security_result.detection_fields.key/value
ResourceId target.resource.attribute.labels.key/value
UserKey target.label.key/value
AdditionalInfo.environmentName target.resource.attribute.labels.key/value
AdditionalInfo.targetObjectId target.resource.product_object_id

SensitivityLabeledFileOpened

下表列出了操作 SensitivityLabeledFileOpened 和工作负载 PublicEndpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_OPEN.
PreviousProtectionType.protectionType security_result.detection_fields.key/value
CurrentProtectionType.protectionType security_result.detection_fields.key/value
DeviceName target.hostname
CurrentProtectionType.documentEncrypted security_result.detection_fields.key/value
CurrentProtectionType.owner security_result.about.email_addresses
TargetLocation target.labels.key/value
UserKey target.labels.key/value
LabelId target.labels.key/value
CurrentProtectionType.templateId security_result.detection_fields.key/value
ProtectionEventType security_result.detection_fields.key/value
ContentType target.labels.key/value
Platform target.platform
UserSku principal.labels.key/value
PreviousProtectionType.documentEncrypted security_result.detection_fields.key/value
ObjectId target.url
PreviousProtectionType.owner security_result.about.email_addresses
Application principal.application
PreviousProtectionType.templateId security_result.detection_fields.key/value

验证

下表列出了操作 Validate 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultCount target.labels.key/value
DataType security_result.description
UserKey target.labels.key/value
AadAppId target.labels.key/value
RelativeUrl target.url

SensitivityLabeledFileRenamed

下表列出了操作 SensitivityLabeledFileRenamed 和工作负载 PublicEndpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE.
PreviousProtectionType.protectionType security_result.detection_fields.key/value
CurrentProtectionType.protectionType security_result.detection_fields.key/value
DeviceName target.hostname
CurrentProtectionType.documentEncrypted security_result.detection_fields.key/value
CurrentProtectionType.owner security_result.about.email_addresses
TargetLocation target.labels.key/value
UserKey target.labels.key/value
LabelId target.labels.key/value
CurrentProtectionType.templateId security_result.detection_fields.key/value
ProtectionEventType security_result.detection_fields.key/value
ContentType target.labels.key/value
Platform target.platform
UserSku principal.labels.key/value
PreviousProtectionType.documentEncrypted security_result.detection_fields.key/value
ObjectId target.url
PreviousProtectionType.owner security_result.about.email_addresses
Application principal.application
PreviousProtectionType.templateId security_result.detection_fields.key/value
PreviousTarget src.url

TaskModified

下表列出了操作 TaskModified 和工作负载 Planner 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.type is set to TASK.

PlanId target.resource.attribute.labels.key/value
UserKey target.labels.key/value
ObjectId target.resource.product_object_id

DeleteTile

下表列出了操作 TaskModified 和工作负载 PowerBI 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION.
WorkspaceId target.resource.product_object_id
WorkSpaceName target.resource.name
UserKey target.labels.key/value
ActivityId principal.labels.key/value
RefreshEnforcementPolicy security_result.detection_fields.key/value
RequestId about.labels.key/value
IsSuccess security_result.action
UserAgent network.http.user_agent
ObjectId target.resource.attribute.labels.key/value

QuarantineReleaseMessage

下表列出了操作 QuarantineReleaseMessage 和工作负载 Quarantine 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
NetworkMessageId security_result.detection_fields.key/value
ReleaseTo security_result.detection_fields.key/value
RequestType security_result.detection_fields.key/value
RequestSource security_result.detection_fields.key/value

WorkspaceStatusReceived

下表列出了操作 WorkspaceStatusReceived 和工作负载 MicrosoftDefenderForIdentity 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultDescription security_result.detection_fields.key/value

LinkedEntityUpdated

下表列出了操作 LinkedEntityUpdated 和工作负载 MicrosoftTodo 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.resource_type is set to TASK.

ActorAppId target.labels.key/value
ItemId security_result.detection_fields.key/value and target.resource.product_object_id
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value
TargetActorTenantId target.labels.key/value

ViewResponse

下表列出了操作 ViewResponse 和工作负载 MicrosoftForms 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
FormsUserTypes principal.labels.key/value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

PlanListRead

下表列出了操作 PlanListRead 和工作负载 Planner 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_subtype is set to Plan.

PlanList target.resource.product_object_id
ObjectId target.resource.attribute.labels.key/value

O365SyncAdminUserPromotion

下表列出了操作 O365SyncAdminUserPromotion 和工作负载 Yammer 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value
ObjectId target.labels.key/value
YammerNetworkId principal.labels.key/value

FileCopiedToClipboard

下表列出了操作 FileCopiedToClipboard 和工作负载 Endpoint 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode target.labels.key/value
EvidenceFile.FullUrl target.labels.key/value
EvidenceFile.StorageName target.labels.key/value
FileExtension target.file.mime_type
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
ObjectId target.file.full_path
Platform target.labels.key/value
PolicyMatchInfo target.resource.product_object_id

security_result.summary

security_result.rule_id

security_result.rule_name

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

SensitiveInfoTypeData security_result.detection_fields.key/value

security_result.confidence_details

Scope target.labels.key/value
RMSEncrypted security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
SourceLocationType principal.labels.key/value
TargetDomain target.domain.name
TargetFilePath target.labels.key/value
OriginatingDomain principal.domain.name

FileTranscriptContentAccessed

下表列出了操作 FileTranscriptContentAccessed 和工作负载 OneDrive 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to FILE_READ.
AlternateStreamId security_result.detection_fields.key/value
ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType principal.labels.key/value
AppAccessContext.UniqueTokenId target.labels.key/value
BrowserName principal.labels.key/value
BrowserVersion principal.labels.key/value
DeviceDisplayName principal.labels.key/value
IsManagedDevice principal.labels.key/value
EventSource principal.application
HighPriorityMediaProcessing about.labels.key/value
ItemType target.resource.attribute.labels.key/value
ListBaseType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
ObjectId target.url
Platform target.labels.key/value
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is mapped to SourceRelativeUrl/SourceFileName.
SourceRelativeUrl target.file.full_path is mapped to SourceRelativeUrl/SourceFileName.
UserAgent network.http.user_agent
WebId about.labels.key/value

设置 DlpCompliancePolicy

下表列出了操作 Set-DlpCompliancePolicy 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplication principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
StartTime target.resource.attribute.creation_time
UserKey target.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version

移除了-DlpCompliancePolicy

下表列出了操作 Remove-DlpCompliancePolicy 和工作负载 SecurityComplianceCenter 的日志字段和对应的 UDM 映射:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplication principal.labels.key/value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value
StartTime target.resource.attribute.creation_time
UserKey target.labels.key/value
UserServicePlan principal.labels.key/value
Version metadata.product_version

后续步骤