收集 Microsoft 365 日志
本文档介绍如何通过设置 Chronicle Feed 来收集 Microsoft 365 日志,以及日志字段如何映射到 Chronicle 统一数据模型 (UDM) 字段。本文档还列出了支持的已审核活动和支持的 Microsoft 365 版本。
如需简要了解将数据注入到 Chronicle,请参阅将数据注入到 Chronicle。
概览
以下部署架构图显示了如何将 Microsoft 365 和 Chronicle Feed 配置为将日志发送到 Chronicle。每个客户部署都可能不同于此表示法,并且可能更复杂。
架构图显示了以下组件:
Microsoft 365。您从中收集日志的 Microsoft 365 服务。
Chronicle Feed。用于从 Microsoft 365 提取日志并将日志写入 Chronicle 的 Chronicle Feed。
Chronicle。Chronicle 会保留和分析来自 Microsoft 365 的日志。
提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于带有 OFFICE_365
提取标签的解析器。
准备工作
使用 Microsoft 365 版本 2204 Build 16.0.15128.20248 或更高版本,并验证您是否订阅了 Microsoft 365 Enterprise E5 及 Microsoft 安全与法规遵从中心功能。
向用户授予必需的特权和权限,以为所有受支持的 Microsoft 产品生成和导出不同的事件。如需查看示例权限,请参阅访问管理 API 的权限
配置 Microsoft 365 以搜索和导出日志。Microsoft Azure Active Directory (Azure AD) 是 Microsoft 365 的目录服务。日志最长需要 24 小时才能生成。 如需了解详情,请参阅搜索审核日志
确保部署架构中的所有系统均采用世界协调时间 (UTC) 时区进行配置。
查看 Chronicle 解析器支持的 activity 和产品。下表列出了 Chronicle 解析器支持的活动和产品:
活动 产品 文件和页面活动 Share Online 和 OneDrive for Business 文件夹 activity Share Online 和 OneDrive for Business Sharepoint 列表 Activity SharePoint Online 共享和访问权限请求活动 Share Online 和 OneDrive for Business 同步 activity Share Online 和 OneDrive for Business 网站权限活动 SharePoint Online 网站管理活动 SharePoint Online Exchange 邮箱活动 Microsoft 365 群组邮箱 用户管理活动 Microsoft 365 管理中心 Azure AD 群组管理活动 Microsoft 365 管理中心 应用管理活动 当管理员添加或更改在 Azure AD 中注册的应用时 角色管理活动 Microsoft 365 管理中心 目录管理活动 Microsoft 365 管理中心 Power BI activity Power BI Microsoft Teams 活动 Microsoft Teams Microsoft Teams Shift 活动 在 Microsoft Teams 中切换应用 Microsoft Teams Healthcare 活动 Microsoft Teams 中的患者申请 Microsoft Teams Shift 活动 在 Microsoft Teams 中切换应用 Yammer activity Yammer Microsoft Power Automation 活动 Power Automation(以前称为 Microsoft Flow) Microsoft PowerApps 活动 电源应用 Microsoft Stream 活动 Microsoft 信息流 隔离活动 在 Office 365 中隔离电子邮件 Microsoft 表单活动 Microsoft Teams 敏感度标签 activity 为 SharePoint Online 和 Teams 活动加标签 保留政策和保留标签活动 不适用 简报电子邮件活动 简报电子邮件 MyAnalytics 活动 MyAnalytics 信息屏障活动 不适用 处理情况审核活动 不适用 通信合规性活动 不适用 未定义的 Activity 不适用
在 Chronicle 中配置 Feed 以注入 Microsoft 365 日志
- 前往 Chronicle 设置,然后点击 Feed。
- 点击 Add New(新增)。
- 对于来源类型,选择 Third party API。
- 选择 Office 365 作为日志类型。
- 点击下一步。
- 根据 Microsoft 365 配置,指定 OAuth 客户端 ID、OAuth 客户端密钥和租户 ID 详细信息。
- 选择要为其创建此 Feed 的内容类型。您必须为所需的每种内容类型创建一个单独的 Feed。
- 点击下一步,然后点击提交。
如需详细了解 Chronicle Feed,请参阅 Chronicle Feed 文档。
字段映射参考文档
本部分介绍 Chronicle 解析器如何为支持的操作和工作负载将 Microsoft 365 日志字段映射到 Chronicle 统一数据模型 (UDM) 字段。
常用字段
下表列出了常见的日志字段及其对应的 UDM 字段。
Common log field | UDM field |
---|---|
ID | metadata.product_log_id |
RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
CreationTime | metadata.event_timestamp |
Operation | metadata.product_event_type |
OrganizationId | principal.resource.product_object_id |
UserType | principal.user.attribute.roles.name |
UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
ClientIP | principal.ip and principal.port |
Workload | target.application |
AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
如需了解适用于受支持操作的 UDM 映射的参考信息,请参阅以下部分:
FileAccessed
下表列出了操作“Fileaccessed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
下表列出了操作“FileAccessedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeleted
下表列出了操作“FileDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCopied
下表列出了操作“FileCopied”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileModified
下表列出了操作“FileModified”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileDownloaded
下表列出了操作“FileDownloaded”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
UserSessionId | network.http.session_id |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ZipFileName | principal.resource.parent |
FileModifiedExtended
下表列出了操作“FileModifiedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileMoved
下表列出了操作“FileMoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FilePreviewed
下表列出了操作“FilePreviewed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileRenamed
下表列出了操作“FileRenamed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileUploaded
下表列出了操作“FileUploaded”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionsAllDeleted
下表列出了操作“FileVersionsAllDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
FileCheckedIn
下表列出了操作“FileCheckedIn”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | workload map with intermediary.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
下表列出了操作“FileCheckedOut”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | Uniquely Identify resource in site like File or Folder |
ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | Information about the user's browser. This information is provided by the browser. |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ComplianceSettingChanged
下表列出了操作“ComplianceSettingChanged”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
SharingType | target.labels.key/value |
LockRecord
下表列出了操作“LockRecord”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
UnlockRecord
下表列出了操作“UnlockRecord”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedFirstStageRecycleBin
下表列出了操作“FileDeletedFirstStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SharingType | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedSecondStageRecycleBin
下表列出了操作“FileDeletedSecondStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
RecordDelete
下表列出了操作“RecordDelete”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
下表列出了操作“DocumentSensitivityMismatchDetected”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
下表列出了操作“DocumentSensitivityMismatchDetected”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckOutDiscarded
下表列出了操作“FileCheckOutUninstalled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMinorsRecycled
下表列出了操作“FileVersionsAllMinorsRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
下表列出了操作“FileVersionsAllRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionRecycled
下表列出了操作“FileVersionRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileRestored
下表列出了操作“FileRestored”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SharingType | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareDetected
下表列出了操作“File 恶意软件 Detected”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
VirusInfo | security_result.threat_name |
VirusVendor | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
SearchQueryPerformed
下表列出了操作“SearchQueryPerformed”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
EventData | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
PageViewed
下表列出了操作“PageViewed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
PagePrefetched
下表列出了操作“PagePrefetched”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSignaled
下表列出了操作“ClientViewSignaled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
PageViewedExtended
下表列出了操作“PageViewedExtended”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FolderCreated
下表列出了操作“FolderCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeleted
下表列出了操作“FolderDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderMoved
下表列出了操作“FolderMoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderRenamed
下表列出了操作“FolderRenamed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderModified
下表列出了操作“FolderModified”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderCopied
下表列出了操作“FolderCopied”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path |
SourceRelativeUrl | src.file.full_path |
DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderRestored
下表列出了操作“FolderRestored”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedFirstStageRecycleBin
下表列出了操作“FolderDeletedFirstStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedSecondStageRecycleBin
下表列出了操作“FolderDeletedSecondStageRecycleBin”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedFull
下表列出了操作“FileSyncDownloadedFull”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | src.file.size |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedPartial
下表列出了操作“FileSyncDownloadedPartial”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | src.file.size |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedFull
下表列出了操作“FileSyncUploadedFull”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | target.file.size |
ImplicitShare | target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedPartial
下表列出了操作“FileSyncUploadedPartial”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | target.file.size |
ImplicitShare | target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ManagedSyncClientAllowed
下表列出了操作“ManagedSyncClientAllowed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
UnmanagedSyncClientBlocked
下表列出了操作“UnmanagedSyncClientBlocked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
AddedToGroup
下表列出了操作“AddedToGroup”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | target.group.group_display_name |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupAdded
下表列出了操作“GroupAdded”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupRemoved
下表列出了操作“GroupRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
WebRequestAccessModified
下表列出了操作“WebRequestAccessModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
WebMembersCanShareModified
下表列出了操作“WebMembersCanShareModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
version | metadata.product_version |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
PermissionLevelModified
下表列出了操作“PermissionLevelModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
version | metadata.product_version |
WebID | about.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SiteCollectionAdminAdded
下表列出了操作“SiteCollectionAdminAdded”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SiteCollectionAdminRemoved
下表列出了操作“SiteCollectionAdminRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
AssertingApplicationId | about.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
PermissionLevelRemoved
下表列出了操作“PermissionLevelRemoved”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.permissions.name |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
RemovedFromGroup
下表列出了操作“RemovedFromGroup”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.group.group_display_name |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupUpdated
下表列出了操作“GroupUpdated”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.referral_url |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
ProjectCheckedOut
下表列出了操作“ProjectCheckedOut”和工作负载“Project”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
Version | metadata.product_version |
Action | security_result.description |
OnBehalfOfResId | about.labels.key/value |
ProjectAccessed
下表列出了操作“ProjectAccessed”和工作负载“Project”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
Version | metadata.product_version |
Action | security_result.description |
OnBehalfOfResId | about.labels.key/value |
SharingInheritanceBroken
下表列出了操作“SharedInheritanceBroken”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
AddedToSecureLink
下表列出了操作“AddedToSecureLink”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
UniqueSharingId | target.labels.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ApplicationDisplayName | target.application |
CompanyLinkCreated
下表列出了操作“CompanyLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
ApplicationDisplayName | target.application |
CompanyLinkUsed
下表列出了操作“CompanyLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SecureLinkCreated
下表列出了操作“SecureLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
SharingInvitationCreated
下表列出了操作“SharedInvitationCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkDeleted
下表列出了操作“SecureLinkDeleted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
RemovedFromSecureLink
下表列出了操作“RemovedFromSecureLink”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
SharingInvitationRevoked
下表列出了操作“SharedInvitationRevoked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkUpdated
下表列出了操作“SecureLinkUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkUsed
下表列出了操作“SecureLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SharingRevoked
下表列出了操作“SHARERevoked”和工作负载“SharePoint/OneDrive”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SharingSet
下表列出了操作“SharedSet”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
PermissionLevelAdded
下表列出了操作“PermissionLevelAdded”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
SharingInvitationAccepted
下表列出了操作“SharedInvitationAccepted”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.name
Added to Group is mapped to target.resource.name |
SharingInvitationBlocked
下表列出了操作“SHAREInvitationBlocked”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | security_result.summary
Reason is mapped to security_result.summary |
AccessRequestCreated
下表列出了操作“AccessRequestCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
AnonymousLinkCreated
下表列出了操作“AnonymousLinkCreated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
AccessRequestUpdated
下表列出了操作“AccessRequestUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
ModifiedProperties | target.labels.key/value |
CompanyLinkRemoved
下表列出了操作“CompanyLinkRemoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
AccessRequestApproved
下表列出了操作“AccessRequestApproved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
AnonymousLinkRemoved
下表列出了操作“AnonymousLinkRemoved”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value |
SourceFileExtension | target.file.mime_type |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
MachineId | target.asset.product_object_id |
AnonymousLinkUpdated
下表列出了操作“AnonymousLinkUpdated”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
ApplicationDisplayName | target.application |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SharingInvitationUpdated
下表列出了操作“SharedInvitationUpdated”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ModifiedProperties | target.labels.key/value |
event_type is mapped to USER_RESOURCE_ACCESS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
AnonymousLinkUsed
下表列出了操作“AnonymousLinkUsed”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
添加群组
下表列出了操作“添加群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
在群组中添加成员
下表列出了操作“将成员添加到群组”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if
else map |
ModifiedProperties | security_result.summary
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
添加用户
下表列出了操作 Add user
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
Version | metadata.product_version
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemId | target.resource.attribute.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
更改用户许可。
下表列出了操作“更改用户许可”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
更改用户密码
下表列出了操作“更改密码”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
删除组
下表列出了操作“删除群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
从群组中移除成员
下表列出了操作“从群组中移除成员”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
删除用户
下表列出了操作 Delete user
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
更新用户
下表列出了操作 Update user
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
if |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties
|
security_result.detection_fields.key/value
If
If
If
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.group.group_display_name
If
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
更新群组
下表列出了操作“更新群组”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
LogonError | security_result.description |
UserLoggedIn
下表列出了操作“UserLoggedIn”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
UserLoginFailed
下表列出了操作“UserLoginFailed”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
更新 StsRefreshTokenValidFrom 时间戳
下表列出了操作“Update StsRefreshTokenValidFrom Timestamp”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
更新设备
下表列出了操作“Update device”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
在域上设定联盟设置
下表列出了操作“在网域上设置联合设置”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
验证网域
下表列出了操作“验证网域”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
设置公司信息
下表列出了“设置公司信息”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
重置用户密码
下表列出了操作“重置用户密码”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
停用账号
下表列出了“停用帐号”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
删除用户的应用专用密码
下表列出了操作“删除用户的应用专用密码”和工作负载“AzureActiveDirectory”的操作日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
刪除设备
下表列出了“删除设备”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
将注册用户添加到设备
下表列出了“将已注册用户添加到设备”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
为设备添加注册的所有者
下表列出了操作“将已注册的所有者添加到设备”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
向群组添加所有者
下表列出了操作“将所有者添加到群组”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
添加 OAuth2PermissionGrant
下表列出了操作“Add OAuth2PermissionGrant”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
添加设备
下表列出了操作“Add device”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
向用户授予应用角色分配授权
下表列出了操作“为用户添加应用角色分配授权”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
同意申请
下表列出了操作“同意应用”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
更新服务主账号
下表列出了操作“更新服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
添加服务主账号
下表列出了操作“添加服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
移除服务主账号
下表列出了操作“移除服务主账号”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
向角色添加成员
下表列出了操作 Add member to role
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | target.resource.product_object_id
if
If
if |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
从角色中移除成员
下表列出了操作“从角色中移除成员”和工作负载“AzureActiveDirectory”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed |
|
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
添加标签
下表列出了操作“添加标签”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is set to target.resource.product_object_id |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
创建公司
下表列出了操作“Create company”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
ObjectId is set to target.resource.product_object_id |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.labels.key/value |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
TeamsSessionStarted
下表列出了操作“TeamsSessionStarted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ScheduleGroupAdded
下表列出了操作“ScheduleGroupAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ScheduleGroupEdited
下表列出了操作“ScheduleGroupEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_DELETION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ScheduleGroupDeleted
下表列出了操作“ScheduleGroupDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
ShiftAdded
下表列出了操作“ShiftAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
ShiftEdited
下表列出了操作“ShiftEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
ShiftDeleted
下表列出了操作“ShiftDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
TimeOffAdded
下表列出了操作“TimeOffAdded”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
TimeOffEdited
下表列出了操作“TimeOffEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
Shift | target.resource.attribute.labels.value |
TimeOffDeleted
下表列出了操作“TimeOffDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
OpenShift | target.resource.attribute.labels.key/value |
OpenShiftAdded
下表列出了操作“OpenShiftAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
OpenShift | target.resource.attribute.labels.key/value |
OpenShiftEdited
下表列出了操作“OpenShiftEdited”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
OpenShift | target.resource.attribute.labels.key/value |
OpenShiftDeleted
下表列出了操作“OpenShiftDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ScheduleShared
下表列出了操作“ScheduleShared”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ClockedIn
下表列出了操作“ClockedIn”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
BreakStarted
下表列出了操作“BreakStarted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
BreakEnded
下表列出了操作“BreakEnded”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ShiftRequest | target.resource.attribute.labels.key/value |
RequestAdded
下表列出了操作“RequestAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ShiftRequest | target.resource.attribute.label.key/value |
RequestRespondedTo
下表列出了操作“RequestReplyedTo”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ShiftRequest | target.resource.attribute.label.key/value |
RequestCancelled
下表列出了操作“RequestCancelled”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ScheduleId | target.resource.product_object_id |
ScheduleSettingChanged
下表列出了操作“ScheduleSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers and target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
TeamSettingChanged
下表列出了操作“TeamSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers and target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
AppInstalled
下表列出了操作“AppInstalled”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AddOnGuid | target.resource.product_object_id |
AddOnType | target.labels.key/value |
AddOnName | target.resource.name |
Version | metadata.product_version |
AppDistributionMode | about.labels.key/value |
AzureADAppId | about.labels.key/value |
OperationScope | about.labels.key/value |
TargetUserId | target.user.product_object_id |
MemberRemoved
下表列出了操作“MemberRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
CommunicationType | about.labels.key/value |
ChatName | target.group.group_display_name |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabRemoved
下表列出了操作“TabRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
AddOnGuid | target.resource.product_object_id |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
AddOnName | target.resource.name |
ChannelName | target.resource.attribute.labels.key/value |
TeamName | target.group.group_display_name |
AppUninstalled
下表列出了操作“AppUninstalled”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AddOnGuid | target.resource.product_object_id |
AddOnType | target.labels.key/value |
AddOnName | target.resource.name |
Version | metadata.product_version |
AppDistributionMode | about.labels.key/value |
AzureADAppId | about.labels.key/value |
OperationScope | about.labels.key/value |
TargetUserId | target.user.product_object_id |
MemberAdded
下表列出了操作“MemberAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
CommunicationType | about.labels.key/value |
ChatName | target.group.group_display_name |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabAdded
下表列出了操作“TabAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
AddOnGuid | target.resource.product_object_id |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
AddOnName | target.resource.name |
AddOnUrl | target.url |
ChannelName | target.labels.key/value |
TeamName | target.group.group_display_name |
ClockedOut
下表列出了操作“ClockedOut”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
AADGroupId | target.labels.key/value |
ScheduleId | target.resource.product_object_id |
TeamCreated
下表列出了操作“TeamCreated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.resource.product_object_id |
TeamName | target.resource.name |
Version | metadata.product_version |
BotAddedToTeam
下表列出了操作“BotAddedToTeam”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
AddOnGuid | target.resource.product_object_id |
AddOnName | target.resource.name |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ChannelAdded
下表列出了操作“ChannelAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.resource.product_object_id |
ChannelName | target.resource.name |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ConnectorAdded
下表列出了操作“ConnectorAdded”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ChannelSettingChanged
下表列出了操作“ChannelSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.resource.product_object_id |
ChannelName | target.resource.name |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
TeamsTenantSettingChanged
下表列出了操作“TeamsTenantSettingChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
MemberRoleChanged
下表列出了操作“MemberRoleChanged”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name DisplayName is mapped to about.user.user_display_name Role is mapped to about.user.attribute.roles.name UPN is mapped to about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
DeletedAllOrganizationApps
下表列出了操作“DeletedAllOrganizationApps”和工作负载“MicrosoftTeams”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ChannelDeleted
下表列出了操作“ChannelDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.resource.product_object_id |
ChannelName | target.resource.name |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
TeamDeleted
下表列出了操作“TeamDeleted”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.resource.product_object_id |
TeamName | target.resource.name |
BotRemovedFromTeam
下表列出了操作“BotRemovedFromTeam”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ConnectorRemoved
下表列出了操作“ConnectorRemoved”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
ConnectorUpdated
下表列出了操作“ConnectorUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.email_addresses |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
TabUpdated
下表列出了操作“TabUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AddOnGuid | target.labels.key/value |
AddOnName | target.resource.name |
AddOnType | target.labels.key/value |
ChannelGuid | target.labels.key/value |
ChannelName | target.resource.attribute.labels.key/value |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
Name | target.resource.attribute.labels.key |
NewValue | target.resource.attribute.labels.value |
SubscriptionId | target.resource.attribute.labels.key/value |
TabType | target.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
AADGroupId | target.labels.key/value |
AddOnUrl | target.url |
更新
下表列出了操作“更新”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism
LogonType is 2 then mechanism is set to INTERACTIVE LogonType is 3 or 8 then mechanism is set to NETWORK LogonType is 4 then mechanism is set to BATCH LogonType is 5 then mechanism is set to SERVICE LogonType is 7 then mechanism is set to UNLOCK LogonType is 9 then mechanism is set to NEW_CREDENTIALS LogonType is 9 then mechanism is set to REMOTE_INTERACTIVE LogonType is 9 then mechanism is set to CACHED_INTERACTIVE else mechanism is set to MECHANISM_UNSPECIFIED |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Item | network.email.subject
target.resource.product_object_id target.resource.name target.file.size network.email.mail_id target.file.full_path Id is mapped to target.resource.product_object_id Subject is mapped to network.email.subject SizeInBytes is mapped to target.file.size Item.ParentFolder.Path is mapped to target.resource.name InternetMessageId is mapped to network.email.mail_id Attachments is mapped to target.file.full_path |
ModifiedProperties | securiy_result.summary |
SessionId | network.session_id |
ClientRequestId | principal.labels.key/value |
Version | metadata.product_version |
FolderBind
下表列出了操作“FolderBind”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AppId | target.labels.key/value |
ClientRequestId | principal.labels.key/value |
Item | target.resource.product_object_id
target_resource_name network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name |
SessionId | network.session_id |
Version | metadata.product_version |
SendOnBehalf
下表列出了操作“SendOnBehalf”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AppId | target.labels.key/value |
Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.email_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
SessionId | network.session_id |
SendOnBehalfOfUserSmtp | target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
SendAs
下表列出了操作“SendAs”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
SendAsUserMailboxGuid | about.labels.key/value |
Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
SessionId | network.session_id |
SendAsUserSmtp | target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
发送
下表列出了操作“发送”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id |
SessionId | network.session_id |
Version | metadata.product_version |
新建收件箱规则
下表列出了操作“New-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
SessionId | network.session_id |
Version | metadata.product_version |
Parameters | security_result.rule_labels.key/value |
AppId | target.labels.key/value |
设置 InboxRule
下表列出了操作“Set-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
ObjectId is set to target.group.product_object_id target.resource.resource_type is set to SETTING |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | security_result.rule_labels.key/value |
SessionId | network.session_id |
ClientRequestId | principal.labels.key/value |
Version | metadata.product_version |
MoveToDeletedItems
下表列出了操作“MoveToDeletedItems”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
DestFolder | target.resource.product_object_id
target.resource.name |
SessionId | network.session_id |
Version | metadata.product_version |
AffectedItems | about.file.full_path
network.email.subject network.email.mail_id Subject is mapped to network.email.subject ParentFolder.Path is mapped to about.file.full_path AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
Folder | src.resource.product_object_id
src.resource.name |
ClientRequestId | principal.labels.key/value |
AppId | target.labels.key/value |
移动
下表列出了操作“移动”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
DestFolder | target.resource.product_object_id
target.resource.name |
SessionId | network.session_id |
Version | metadata.product_version |
AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
Folder | src.resource.product_object_id
src.resource.name |
MailItemsAccessed
下表列出了操作“MailItemsAccessed”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
OperationProperties | security_result.detection_fields.key/value. |
SessionId | network.session_id |
Version | metadata.product_version |
OperationCount | about.labels.key/value |
AppId | target.labels.key/value |
Folders | about.resource.name
about.resource.product_object_id network.email.mail_id Folders.Path is mapped to about.resource.name Folders.Id is mapped to about.resource.product_object_id Folders.0.FolderItems.0.InternetMessageId network_email_id |
MailboxLogin
下表列出了操作“MailboxLogin”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGIN
auth.Type is MACHINE |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
SessionId | network.session_id |
Version | metadata.product_version |
SoftDelete
下表列出了操作“SoftDelete”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AffectedItems | about.file.full_path
network.email.subject network.email.mail_id AffectedItems.Attachments is mapped to about.file.full_path AffectedItems.Subject is mapped to network.email.subject AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
Folder | target.resource.name
target.resource.product_object_id Folder.Path is mapped to target.resource.name Folder.Id is mapped to target.resource.product_object_id |
SessionId | network.session_id |
ClientRequestId | principal.labels.key/value |
Version | metadata.product_version |
HardDelete
下表列出了操作“HardDelete”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
Version | metadata.product_version |
ClientAppId | target.labels.key/value |
AppId | target.labels.key/value |
Folder | target.resource.name
target.resource.product_object_id |
创建
下表列出了操作“创建”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
Item | target.resource.name
target.resource.product_object_id target.file.full_path network.email.subject network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name Item.Subject is mapped to network.email.subject Attachment may present or not in log so write grok for this. Item.Attachments is mapped to target.file.full_path |
SessionId | network.session_id |
Version | metadata.product_version |
RemoveFolderPermissions
下表列出了操作“RemoveFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
Item | target.file.full_path
target.resource.attribute.permissions.name target.user.email_addresses or target.user.userid Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid Item.ParentFolder.Path is mapped to target.file.full_path User rights is mapped to target.resource.attribute.permissions.name |
SessionId | network.session_id |
Version | metadata.product_version |
ModifyFolderPermissions
下表列出了操作“ModifyFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name |
SessionId | network.session_id |
Version | metadata.product_version |
AddFolderPermissions
下表列出了操作“AddFolderPermissions”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name Path is mapped to target.file.full_path Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid User Rights is mapped to target.resource.attribute.permissions.name |
SessionId | network.session_id |
Version | metadata.product_version |
AppId | target.labels.key/value |
移除邮箱权限
下表列出了操作“Remove-MailboxPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | security_result.detection_fields.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
添加邮箱权限
下表列出了操作“Add-MailboxPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
ClientAppId | target.labels.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
AppId | target.resource.attribute.labels.key/value |
Parameters | security_result.detection_fields.key/value |
ObjectId | target.resource.attribute.labels.key/value |
UpdateInboxRules
下表列出了操作“UpdateInboxRules”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
ClientAppId | target.labels.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
Item | target.resource.product_object_id
target.resource.name Item.ParentFolder.name is mapped to target.resource.name Item.ParentFolder.id is mapped to target.resource.product_object_id |
OperationProperties | security_result.rule_id
security_result.rule_name security_result.detection_fields.key/value if Name is RuleId then Value is mapped to security_result.rule_id if Name is RuleName then Value is mapped to security_result.rule_name else security_result.detection_fields.key/value |
ClientRequestId | principal.labels.key/value |
UpdateCalendarDelegation
下表列出了操作“UpdateCalendarDelegation”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is SERVICE_ACCOUNT |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
ApplyRecordLabel
下表列出了操作“ApplyRecordLabel”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
UpdateFolderPermissions
下表列出了操作“UpdateFolderPermissions”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
设置用户
下表列出了操作“Set-User”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
Version | metadata.product_version |
ViewReport
下表列出了操作“ViewReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is mapped to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
ActivityId | principal.labels.key/value |
ConsumptionMethod | target.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
DistributionMethod | about.labels.key/value |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkspaceId | target.resource.attribute.labels.key/value |
GenerateEmbedToken
下表列出了操作“GenerateEmbedToken”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is set to target.file.full_path |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
ActivityId | principal.labels.key/value |
ConsumptionMethod | target.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
DistributionMethod | about.labels.key/value |
ReportId | target.resource.attribute.labels.key/value |
ReportType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkspaceId | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
EmbedTokenId | target.resource.product_object_id |
RLSIdentities | about.user.email_addresses
about.user.attribute.roles.name RLSIdentities.UserName is mapped to about.user.email_addresses RLSIdentities.Roles is mapped to about.user.attribute.roles.name |
CreateDataset
下表列出了操作“CreateDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_object_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
LastRefreshTime | about.labels.key/value |
GenerateCustomVisualAADAccessToken
下表列出了操作“GenerateCustomVisualAADAccessToken”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
CustomVisualAccessTokenResourceId | target.resource.product_object_id |
CustomVisualAccessTokenSiteUri | target.url |
DeleteOrganizationalGalleryItem
下表列出了操作“DeleteOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
OrganizationalGalleryItemId | target.resource.product_object_id |
OrganizationalGalleryItemDisplayName | target.resource.name |
OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
DeleteAlmPipeline
下表列出了操作“DeleteAlmPipeline”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeploymentPipelineId | target.labels.key/value |
DeploymentPipelineObjectId | target.resource.product_object_id |
AddDatasourceToGateway
下表列出了操作“AddDatasourceToGateway”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
GatewayId | target.resource.attribute.labels.key/value |
GatewayType | target.labels.key/value |
DatasourceId | target.resource.product_object_id |
DatasourceType | target.resource.attribute.labels.key/value |
AssignWorkspaceToPipeline
下表列出了操作“assignWorkspaceToPipeline”和工作负载“PowerBI”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | principal.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | principal.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeploymentPipelineId | target.labels.key/value |
DeploymentPipelineObjectId | target.resource.product_object_id |
DeploymentPipelineStageOrder | target.labels.key/value |
CancelDataflowRefresh
下表列出了操作“CancelDataflowRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DataflowId | target.resource.product_object_id |
DataflowName | target.resource.name |
DataflowType | target.resource.attribute.labels.key/value |
ChangeCapacityState
下表列出了操作“ChangeCapacityState”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CapacityName | target.resource.name |
CapacityUsers | about.labels.key/value |
CapacityState | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
ChangeGatewayAdministrators
下表列出了操作“ChangeGateway Administrators”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
GatewayId | target.resource.product_object_id |
UserInformation | about.user.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
InsertOrganizationalGalleryItem
下表列出了操作“InsertOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
OrganizationalGalleryItemId | target.resource.product_object_id |
OrganizationalGalleryItemDisplayName | target.resource.name |
OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
CreateAlmPipeline
下表列出了操作“CreateAlmPipeline”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
DeploymentPipelineId | target.labels.key/value |
DeploymentPipelineObjectId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
CreateApp
下表列出了操作“CreateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.name |
WorkspaceId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
CreateDashboard
下表列出了操作“Create Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dashboard created successfully else security_result.summary is Dashboard not created |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardId | target.resource.product_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
CreateDataflow
下表列出了操作“CreateDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dataflow created successfully else security_result.summary is Dataflow not created |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DataflowType | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_id |
WorkspaceId | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
CreateEmailSubscription
下表列出了操作“CreateEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_CREATION
If IsSuccess is true then security_result.summary is EmailSubscription created successfully else security_result.summary is EmailSubscription not created ObjectId is set to target.file.full_path |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
SubscriptionSchedule | target.labels.key/value |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
SubscribeeInformation | network.email.to |
DashboardId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
CreateFolder
下表列出了操作“CreateFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
FolderDisplayName | target.resource.name |
FolderObjectId | target.resource.attribute.labels.key/value |
CreateGateway
下表列出了操作“CreateGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
GatewayId | target.resource.product_object_id |
GatewayType | target.labels.key/value |
CreateTemplateApp
下表列出了操作“CreateTemplateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
TemplateAppObjectId | target.resource.product_object_id |
RequestId | about.labels.key/value |
DeleteComment
下表列出了操作“DeleteComment”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value Name is mapped to target.resource.name ArtifactObjectId is set to target.resource.product_object_id AnnotatedItemType is mapped to target.resource.attribute.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
DeleteDashboard
下表列出了操作“Delete Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DashboardId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
DashboardName | target.resource.name |
Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
DistributionMethod | about.labels.key/value |
DeleteDataflow
下表列出了操作“DeleteDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_object_id |
DataflowName | target.resource.name |
DataflowType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
DeleteDataset
下表列出了操作“DeleteDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_object_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
LastRefreshTime | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DeleteEmailSubscription
下表列出了操作“DeleteEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_DELETION
ObjectId is set to target.file.full_path |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DashboardId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
DeleteFolder
下表列出了操作“DeleteFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
if isSuccess is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
FolderObjectId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeleteGateway
下表列出了操作“DeleteGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
GatewayId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeleteGroup
下表列出了操作“DeleteGroup”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.name |
WorkspaceId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeleteReport
下表列出了操作“DeleteReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
DownloadReport
下表列出了操作“DownloadReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
EditDataset
下表列出了操作“EditDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_object_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
LastRefreshTime | about.labels.key/value |
EditDatasetProperties
下表列出了操作“EditDatasetProperties”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DatasetId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetCertificationStage | target.resource.attribute.labels.key/value |
LastRefreshTime | about.labels.key/value |
EditReport
下表列出了操作“EditReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
ReportId | target.resource.attribute.labels.key/value |
ReportType | target.resource.attribute.labels.key/value |
ExportDataflow
下表列出了操作“ExportDataflow”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Dataflow Exported Successfully else security_result.summary is Dataflow Not Exported |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_id |
DataflowName | target.rsource.name |
DataflowType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
ExportReport
下表列出了操作“ExportReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Report Exported Successfully else security_result.summary is Report Not Exported |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
DatasetId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
DataConnectivityMode | target.resource.attribute.labels.key/value |
LastRefreshTime | about.labels.key/value |
InstallApp
下表列出了操作“InstallApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
InstallTemplateApp
下表列出了操作“InstallTemplateApp”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
TemplateAppFolderObjectId | about.labels.key/value |
TemplateAppOwnerTenantObjectId | principal.user.product_object_id |
TemplateAppVersion | metadata.product_version |
TemplateAppObjectId | target.resource.product_object_id |
TemplatePackageName | target.resource.name |
PostComment
下表列出了操作“PostComment”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
PrintDashboard
下表列出了操作“Print 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path | |
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardId | target.resource.product_object_id |
Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
PrintReport
下表列出了操作“PrintReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.attribute.label.key/value |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
UnassignWorkspaceFromPipeline
下表列出了操作“UnassignWorkspaceFromPipeline”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
DeploymentPipelineId | target.resource.attribute.labels.key/value |
DeploymentPipelineObjectId | target.resource.product_object_id |
RemoveDatasourceFromGateway
下表列出了操作“RemoveDatasourceFromGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
GatewayId | target.resource.attribute.label.key/value |
DatasourceId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
RenameDashboard
下表列出了操作“Rename Dashboard”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to target.file.full_path |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardId | target.resource.product_object_id |
Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
RequestDataflowRefresh
下表列出了操作“RequestDataflowRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_object_id |
DataflowName | target.resource.name |
DataflowRefreshScheduleType | target.labels.key/value |
DataflowType | target.resource.attribute.label.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
RefreshDataset
下表列出了操作“RefreshDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_object_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
RefreshType | target.labels.key/value |
LastRefreshTime | about.labels.key/value |
SensitivityLabelApplied
下表列出了操作“SensitivityLabelApplied”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.attribute.labels.key/value |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
SensitivityLabelId | target.resource.product_object_id |
ActionSourceDetail | principal.labels.key/value |
LabelEventType | target.labels.key/value |
LastRefreshTime | about.labels.key/value |
ActionSourceDetail | principal.labels.key/value |
ArtifactType | about.labels.key/value |
SensitivityLabelRemoved
下表列出了操作“SensitivityLabelRemoved”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.attribute.labels.key/value |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
OldSensitivityLabelId | target.resource.product_object_id |
ActionSource | principal.labels.key is set to ActionSource
principal.labels.value is set to {Value} |
LabelEventType | target.labels.key/value |
LastRefreshTime | about.labels.key/value |
ActionSourceDetail | principal.labels.key/value |
ArtifactType | about.labels.key/value |
SetScheduledRefreshOnDataflow
下表列出了操作“SetscheduleRefreshOnDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_id |
DataflowName | target.resource.name |
DataflowType | target.resource.attribute.label.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
SetScheduledRefresh
下表列出了操作“SetscheduleRefresh”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.rsource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
Schedules | target.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
LastRefreshTime | about.labels.key/value |
ShareDashboard
下表列出了操作“Share 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
DashboardId | target.resource.product_object_id |
Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
SharingAction | about.labels.key/value |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
ShareReport
下表列出了操作“ShareReport”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
Datasets | about.resource.product_object_id
about.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
ArtifactId | target.resource.product_object_id |
ArtifactName | target.resource.name |
SharingAction | about.labels.key/value |
ShareLinkId | about.labels.key/value |
OptInForProTrial
下表列出了操作“OptInForProTrial”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UnpublishApp
下表列出了操作“UnpublishApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkspaceId | target.resource.product_object_id |
WorkSpaceName | target.resource.name |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateOrganizationalGalleryItem
下表列出了操作“UpdateOrganizationalGalleryItem”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
OrganizationalGalleryItemId | target.resource.product_object_id |
OrganizationalGalleryItemDisplayName | target.resource.name |
OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
UpdateAlmPipelineAccess
下表列出了操作“UpdateAlmPipelineAccess”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DeploymentPipelineObjectId | target.resource.product_object_id |
DeploymentPipelineDisplayName | target.resource.name |
DeploymentPipelineAccesses | about.user.userid
about.user.attribute.permissions.name userid is mapped to about.user.userid Rolepermission is mapped to about.user.attribute.permissions.name |
UpdateInstalledTemplateAppParameters
下表列出了操作“UpdateInstallTemplateAppParameters”和工作负载“和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
TemplateAppObjectId | target.resource.product_object_id |
TemplatePackageName | target.resource.name |
TemplateAppVersion | metadata.product_version |
TemplateAppFolderObjectId | about.labels.key/value |
UpdatedAdminFeatureSwitch
下表列出了操作“UpdatedAdminFeatureSwitch”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
SwitchState | about.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateApp
下表列出了操作“UpdateApp”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.name |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
WorkspaceId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateDataflow
下表列出了操作“UpdateDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_object_id |
DataflowName | target.resource.name |
DataflowType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateDatasetParameters
下表列出了操作“UpdateDatasetParameters”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.product_object_id |
DataConnectivityMode | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
LastRefreshTime | about.labels.key/value |
UpdateEmailSubscription
下表列出了操作“UpdateEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.type is mapped to TASK |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
SubscriptionSchedule | target.labels.key/value |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
SubscribeeInformation | network.email.to |
DashboardId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
UpdateFolder
下表列出了操作“UpdateFolder”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
FolderObjectId | target.resource.product_object_id |
FolderDisplayName | target.resource.name |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateFolderAccess
下表列出了操作“UpdateFolderAccess”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
FolderObjectId | target.resource.product_object_id |
FolderDisplayName | target.resource.name |
FolderAccessRequests | about.user.userid
about.user.product_object_id about.user.attribute.permissions.type UserId is mapped to about.user.userid UserObjectId is set to about.user.product_object_id RolePermissions is mapped to about.user.attribute.permissions.type |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateDatasourceCredentials
下表列出了操作“UpdateDatasourceCredentials”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
GatewayId | target.resource.attribute.labels.key/value |
DatasourceId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UpdateTemplateAppSettings
下表列出了操作“UpdateTemplateAppSettings”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
AppName | target.labels.key/value |
ActivityId | principal.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
TemplateAppObjectId | target.resource.product_object_id |
UpdateTemplateAppTestPackagePermissions
下表列出了操作“UpdateTemplateAppTestPackagePermissions”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
TemplateAppObjectId | target.resource.product_object_id |
ViewDashboard
下表列出了操作“View 信息中心”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
ConsumptionMethod | target.labels.key/value |
DistributionMethod | about.labels.key/value |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
DashboardId | target.resource.product_object_id |
WorkspaceId | target.resource.attribute.labels.key/value |
DashboardName | target.resource.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
ViewDataflow
下表列出了操作“ViewDataflow”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.labels.key/value |
CapacityId | about.labels.key/value |
CapacityName | about.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
DataflowId | target.resource.product_object_id |
DataflowName | target.resource.name |
DataflowType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
AddTile
下表列出了操作“AddTile”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.name |
WorkspaceId | target.resource.product_object_id |
TileText | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
RunEmailSubscription
下表列出了操作“RunEmailSubscription”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AppName | target.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.label.key/value |
DashboardName | target.resource.name |
WorkspaceId | target.resource.attribute.label.key/value |
DashboardId | target.resource.product_object_id |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
CreateReport
下表列出了操作“CreateReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
UserAgent | network.http.user_agent |
WorkSpaceName | target.resource.attribute.label.key/value |
DatasetName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
WorkspaceId | target.resource.attribute.label.key/value |
DatasetId | target.resource.attribute.label.key/value |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
DistributionMethod | about.labels.key/value |
GetSnapshots
下表列出了操作“GetSnapshots”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
OptInForPPUTrial
下表列出了操作“OptInForPPUTrial”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
设置邮件用户
下表列出了操作“Set-MailUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
Version | metadata.product_version |
设置邮件联系人
下表列出了操作“Set-MailContact”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
Version | metadata.product_version |
设置邮箱
下表列出了操作“Set-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
Object is mapped to target.group.group_display_name |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
设置-分配组
下表列出了操作“Set-DistributionGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is Group members definition ResultStatus is True Action is set to ALLOW else Action is set to BLOCK |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.group.product_object_id or target.group.email_addresses
security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
设置联系人
下表列出了操作“Set-Contact”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
Version | metadata.product_version |
CASMailbox
下表列出了操作“Set-CASMailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
ModifiedObjectResolvedName | about.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
设置日历处理
下表列出了操作“Set-CalendarProcessing”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.user.user_display_name
If Name is ResourceDelegates then Value is mapped to target.user.user_display_name |
SessionId | network.session_id |
Version | metadata.product_version |
设置 AdminAuditLogConfig
下表列出了操作“Set-AdminAuditLogConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. ObjectId is mapped to target.url target.resource.resource_type is set to SETTING |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
ModifiedObjectResolvedName | about.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
移除-统一组
下表列出了操作“Remove-UnifiedGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION | |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
Version | metadata.product_version |
移除迁移用户
下表列出了操作“Remove-MigrationUser”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.detection_fields.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
更新-eDiscoveryCaseAdmin
下表列出了操作“Update-eDiscoveryCaseAdmin”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
移除-分布组成员
下表列出了操作“Remove-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name else target.group.attribute.labels.key/value |
Version | metadata.product_version |
ViewedSearchExported
下表列出了操作“ViewedSearchExported”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
AddWorkingSetQueryToWorkingSet
下表列出了操作“AddWorkingSetQueryToWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
AddQueryToWorkingSet
下表列出了操作“AddQueryToWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
RunAlgo
下表列出了操作“RunAlgo”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
AnnotateDocument
下表列出了操作“AnnotateDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
BurnJob
下表列出了操作“BurnJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
CreateWorkingSet
下表列出了操作“CreateWorkingSet”和工作负载“Compliance”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
CreateWorkingsetSearch
下表列出了操作“CreateWorkingsetSearch”和工作负载“Compliance”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
CreateTag
下表列出了操作“CreateTag”和工作负载“Compliance”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
DeleteWorkingsetSearch
下表列出了操作“DeleteWorkingsetSearch”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
DeleteTag
下表列出了操作“DeleteTag”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
DownloadDocument
下表列出了操作“DownloadDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
UpdateTag
下表列出了操作“UpdateTag”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
ExportJob
下表列出了操作“ExportJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
UpdateCaseSettings
下表列出了操作“UpdateCaseSettings”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
UpdateWorkingsetSearch
下表列出了操作“UpdateWorkingsetSearch”和工作负载“Compliance”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
TagFiles
下表列出了操作“TagFiles”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
ViewDocument
下表列出了操作“ViewDocument”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
CaseId | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
StartTime | target.resource.attribute.creation_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
SearchViewed
下表列出了操作“SearchViewed”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
If Name is SearchIds then Value is mapped to target.resource.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
CaseMemberAdded
下表列出了操作“CaseMemberAdded”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
SearchUpdated
下表列出了操作“SearchUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
CaseAdminUpdated
下表列出了操作“CaseAdminUpdated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | about.user.email_address
about.user.product_object_id If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
CaseUpdated
下表列出了操作“CaseUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
CaseMemberUpdated
下表列出了操作“CaseMemberUpdated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resrource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchPermissionUpdated
下表列出了操作“SearchPermissionUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExtendedProperties | principal.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
HoldUpdated
下表列出了操作“HoldUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchRemoved
下表列出了操作“SearchRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
CaseAdminRemoved
下表列出了操作“CaseAdminRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
target.user.email_address target.user.userid If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} target_user is mapped to target.user.email_addresses or target.user.userid |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
CaseRemoved
下表列出了操作“CaseRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_detail |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchPermissionRemoved
下表列出了操作“SearchPermissionRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | principal.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
HoldRemoved
下表列出了操作“HoldRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
HoldCreated
下表列出了操作“HoldCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchCreated
下表列出了操作“SearchCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_detail |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_detail |
Query | security_result.description |
SharepointLocations | security_result.category_detail |
CaseAdminAdded
下表列出了操作“CaseAdminAdded”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.prdouct_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchStarted
下表列出了操作“SearchStarted”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
SearchReport
下表列出了操作“SearchReport”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
SearchStopped
下表列出了操作“SearchStopped”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_detail |
CaseViewed
下表列出了操作“CaseViewed”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_detail |
ExtendedProperties | target.resource.product_object_id
about.user.email_addresses about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_detail |
Query | security_result.description |
SharepointLocations | security_result.category_detail |
SearchExportDownloaded
下表列出了操作“SearchExportDownloaded”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Version | metadata.product_version |
CaseMemberRemoved
下表列出了操作“CaseMemberRemoved”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
Version | metadata.product_version |
CaseAdded
下表列出了操作“CaseAdded”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
SearchPermissionCreated
下表列出了操作“SearchPermissionCreated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | principal.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
Version | metadata.product_version |
NetworkConfigurationUpdated
下表列出了操作“NetworkConfigurationUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses
principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
ProcessProfileFields
下表列出了操作“ProcessProfileFields”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
SupervisorAdminToggled
下表列出了操作“SupervisorAdminToggled”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
NetworkSecurityConfigurationUpdated
下表列出了操作“NetworkSecurityConfigurationUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
FileCreated
下表列出了操作“FileCreated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE {
security_result.action is ALLOW} else {security_result.action is BLOCK} |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
GroupCreation
下表列出了操作“GroupCreation”和工作负载“Yammer”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
MessageDeleted
下表列出了操作“MessageDeleted”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
GroupDeletion
下表列出了操作“GroupDeletion”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
DataExport
下表列出了操作“DataExport”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
FileVisited
下表列出了操作“FileVisited”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_READ
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses
principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
StreamInvokeVideoView
下表列出了操作“StreamInvokeVideoView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoShare
下表列出了操作“StreamInvokeVideoShare”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoLike
下表列出了操作“StreamInvokeVideoLike”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoUnLike
下表列出了操作“StreamInvokeVideoUnLike”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoUpload
下表列出了操作“StreamInvokeVideoUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoDownload
下表列出了操作“StreamInvokeVideoDownload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoSetLink
下表列出了操作“StreamInvokeVideoSetLink”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamCreateGroup
下表列出了操作“StreamCreateGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditGroup
下表列出了操作“StreamEditGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamDeleteGroup
下表列出了操作“StreamDeleteGroup”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditGroupMemberships
下表列出了操作“StreamEditGroupMemberships”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamCreateChannel
下表列出了操作“StreamCreateChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditChannel
下表列出了操作“StreamEditChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | network.http.referral_url |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamDeleteChannel
下表列出了操作“StreamDeleteChannel”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | network.http.referral_url |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeChannelSetThumbnail
下表列出了操作“StreamInvokeChannelSetthumb”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | network.http.referral_url |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditVideoPermissions
下表列出了操作“StreamEditVideoPermissions”和工作负载“MicrosoftStream”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditVideo
下表列出了操作“StreamEditVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamDeleteVideo
下表列出了操作“StreamDeleteVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditUserSettings
下表列出了操作“StreamEditUserSettings”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamEditAdminTenantSettings
下表列出了操作“StreamEditAdminTenantSettings”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamCreateVideoComment
下表列出了操作“StreamCreateVideoComment”和工作负载“MicrosoftStream”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamDeleteVideoComment
下表列出了操作“StreamDeleteVideoComment”和工作负载“MicrosoftStream”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoTextTrackUpload
下表列出了操作“StreamInvokeVideoTextTrackUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamDeleteVideoTextTrack
下表列出了操作“StreamDeleteVideoTextTrack”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoThumbnailUpload
下表列出了操作“StreamInvokeVideothumbUpload”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamCreateVideo
下表列出了操作“StreamCreateVideo”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url_back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
DlpRuleMatch
下表列出了操作 DlpRuleMatch
和工作负载 Exchange/SharePoint/OneDrive
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
|
|
SharePointMetaData | network.http.referral_url
|
ExchangeMetaData | network.email.from
|
ExceptionInfo | about.labels.key/value
|
PolicyDetails | target.resource.product_object_id
|
IncidentId | about.labels.key/value
|
Version | metadata.product_version
|
Site | target.labels.key/value
|
ItemType | target.resource.attribute.labels.key/value
|
EventSource | principal.application
|
SourceName | principal.labels.key/value
|
UserAgent | network.http.user_agent
|
MachineDomainInfo | target.asset.attribute.labels.key/value
|
MachineId | target.asset.product_object_id
|
EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpRuleUndo
下表列出了操作“DlpRuleMigrate”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
ExceptionInfo | about.labels.key/value |
PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
IncidentId | about.labels.key/value |
Version | metadata.product_version |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpInfo
下表列出了操作“DlpInfo”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
ExceptionInfo | about.labels.key/value |
PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
IncidentId | about.labels.key/value |
Version | metadata.product_version |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
MipLabel
下表列出了操作“MipLabel”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to network.email.mail_id |
|
ApplicationMode | about.labels.key/value |
ItemName | network.email.subject |
LabelAppliedDateTime | principal.labels.key/value |
LabelId | target.resource.product_object_id |
LabelName | target.resource.name |
Receivers | network.email.to |
Sender | network.email.from |
Version | metadata.product_version |
SiteCollectionCreated
下表列出了操作“SiteCollectionCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
CorrelationId | security_result.detection_fields.key/value |
EventData | target.resource.name |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
Version | metadata.product_version |
SiteDeleted
下表列出了操作“SiteDeleted”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
MachineId | target.asset.product_object_id |
PreviewModeEnabledSet
下表列出了操作“PreviewModeEnabledSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
OfficeOnDemandSet
下表列出了操作“OfficeOnDemandSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
HubSiteJoined
下表列出了操作“HubSiteJoined”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
HubSiteRegistered
下表列出了操作“HubSiteRegistered”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
HubSiteUnjoined
下表列出了操作“HubSiteUnjoined”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
EventData | target.resource.attribute.labels.key/value
IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
HubSiteUnregistered
下表列出了操作“HubSiteUnregistered”和工作负载“HubSiteUnregistered”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
EventData | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SharingPolicyChanged
下表列出了操作“SharedPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
AssertingApplicationId | about.labels.key/value |
ModifiedProperties | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
NetworkAccessPolicyChanged
下表列出了操作“NetworkAccessPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.ip
target.labels.key/value if Name is IPAddressAllowList then NewValue is mapped to target.ip else target.labels.key/value |
Site | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
AlertEntityGenerated
下表列出了操作“AlertEntityGenerated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
AlertId | target.resource.product_object_id |
AlertType | target.resource.attribute.labels.key/value |
Name | security_result.summary |
PolicyId | target.labels.key/value |
Status | target.resource.attribute.labels.key/value |
Severity | security_result.severity |
Category | security_result.category_details |
Source | security_result.description |
Comments | about.labels.key/value |
Data | about.labels.key/value |
AlertEntityId | target.user.userid or target.user.email_addresses |
EntityType | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
AlertTriggered
下表列出了操作“AlertTriggered”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
AlertId | target.resource.product_object_id |
AlertType | target.resource.attribute.labels.key/value |
Name | security_result.summary |
PolicyId | target.labels.key/value |
Status | target.resource.attribute.labels.key/value |
Severity | security_result.severity |
Category | security_result.category_details |
Source | security_result.description |
Comments | about.labels.key/value |
Data | about.labels.key/value |
AlertEntityId | target.user.userid or target.user.email_addresses |
EntityType | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
AlertUpdated
下表列出了操作“AlertUpdated”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
AlertId | target.resource.product_object_id |
AlertType | target.resource.attribute.labels.key/value |
Name | security_result.summary |
PolicyId | target.labels.key/value |
Status | target.resource.attribute.labels.key/value |
Severity | security_result.severity |
Category | security_result.category_details |
Source | security_result.description |
Comments | about.labels.key/value |
Data | about.labels.key/value |
AlertEntityId | target.user.userid or target.user.email_addresses |
EntityType | target.resource.attribute.labels.key/value |
Version | metadata.product_version |
获取合规性案例
下表列出了操作“Get-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取支持请求保全政策
下表列出了操作“Get-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取 ComplianceSearch
下表列出了操作“Get-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
移除支持请求保全政策
下表列出了操作“Remove-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
Set-CaseHoldPolicy
下表列出了操作“Set-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
New-CaseHoldRule
下表列出了操作“New-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
remove-CaseHoldRule
下表列出了操作“Remove-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
Set-CaseHoldRule
下表列出了操作“Set-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
获取 ComplianceSearchAction
下表列出了操作“Get-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
新的合规案例
下表列出了操作“New-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line
target.resource.name |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
移除合规性支持请求
下表列出了操作“Remove-ComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
设置合规性案例
下表列出了操作“Set-ComplianceCase”和工作负载“Set-ComplianceCase”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
添加合规性支持请求成员
下表列出了操作“Add-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
移除 ComplianceCaseMember
下表列出了操作“Remove-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
Update-ComplianceCaseMember
下表列出了操作“Update-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
新的 ComplianceSearch
下表列出了操作“New-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
删除-合规性搜索
下表列出了操作“Remove-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
设置合规性搜索
下表列出了操作“Set-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
开始 - 合规性搜索
下表列出了操作“Start-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
停止合规性搜索
下表列出了操作“Stop-ComplianceSearch”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
新的 ComplianceSearchAction
下表列出了操作“New-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
移除-ComplianceSearchAction
下表列出了操作“Remove-ComplianceSearchAction”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
新的 ComplianceSecurityFilter
下表列出了操作“New-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
移除了 ComplianceSecurityFilter
下表列出了操作“Remove-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
设置 ComplianceSecurityFilter
下表列出了操作“Set-ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
添加 eDiscoveryCaseAdmin
下表列出了操作“Add-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
移除-eDiscoveryCaseAdmin
下表列出了操作“Remove-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
新建支持请求保全政策
下表列出了操作“New-CaseHoldPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取 AadProtectionLevel
下表列出了操作“Get-AadProtectionLevel”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取 AutoSensitivityLabelPolicy
下表列出了操作“Get-AutoSensitivityLabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取 DlpSensitiveInformationType
下表列出了操作“Get-DlpSensitiveInformationType”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取标签
下表列出了操作“Get-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取标签政策
下表列出了操作“Get-LabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
获取政策配置
下表列出了操作“Get-PolicyConfig”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
Version | metadata.product_version |
ValidaterbacAccessCheck
下表列出了操作“VerifiedrbacAccessCheck”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
AadAppId | target.labels.key/value |
DataType | security_result.description |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
Version | metadata.product_version |
ApplicableAdaptiveScopeChange
下表列出了操作“ApplicableAdaptiveScopeChange”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.resource.product_object_id
If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id |
CorrelationId | security_result.detection_fields |
ObjectType | security_result.summary |
NewComplianceTag
下表列出了操作“NewComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionComplianceRule
下表列出了操作“NewKeepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionCompliancePolicy
下表列出了操作“NewKeepCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveComplianceTag
下表列出了操作“RemoveComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveRetentionCompliancePolicy
下表列出了操作“RemoveComplianceCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetComplianceTag
下表列出了操作“SetComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionComplianceRule
下表列出了操作“SetKeepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionCompliancePolicy
下表列出了操作“SetKeepCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Get-CsTeamsUpgradeOverridePolicy
下表列出了操作“Get-CsTeamsUpgradeOverridePolicy”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
CmdletVersion | metadata.product_version |
Parameters | security_result.description
If Name is Tenant then Value is mapped to tenate_value If Name is Identity then Vale is mapped to identity_value security_result.description is Tenant = {tenate_value} / Identity = {identity_value} |
SkypeForBusinessEventType | about.labels.key/value |
TenantName | target.resource.product_object_id |
Version | metadata.product_version |
TeamsAdminAction
下表列出了操作“TeamsAdminAction”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
If ResultStatus is Succeeded then Action is set to ALLOW If ResultStatus is Failed then Action is set to BLOCK |
|
AdminActionDetail | security_result.summary |
ClientApplication | network.http.user_agent |
ExtraProperties | additional.fields.key/value.string_value |
UserClaims | security_result.description |
Version | metadata.product_version |
更新-分发组成员
下表列出了操作“Update-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
ClientVersion | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.description
target.group.product_object_id or target.group.email_addresses target.group.attribute.labels.key/value If Name is Members then Value is mapped to security_result.description If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
SessionId | network.session_id |
Version | metadata.product_version |
SupervisoryReviewOLAudit
下表列出了操作“SupervisoryReviewOLAudit”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
extract auditscore form ResultStatus using ResultStatus .*?Score:{auditScore} and map with security_result.confidenece_details is {auditScore} security_result.confidence will map based on auditScore |
|
LogonType | extensions.auth.mechanism |
InternalLogonType | about.labels.key/value |
MailboxGuid | target.labels.key/value |
MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
MailboxOwnerSid | target.user.windows_sid |
MailboxOwnerMasterAccountSid | target.labels.key/value |
LogonUserSid | principal.user.windows_sid |
LogonUserDisplayName | principal.user.user_display_name |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientInfoString | network.http.user_agent |
ClientIPAddress | principal.ip and principal.port |
ClientMachineName | principal.hostname |
ClientProcessName | principal.process.file.full_path |
ClientVersion | metadata.product_version |
ExchangeDetails | network.direection
network.email.from network.email.mail_id network.email.to network.email.subject If Directionality is Incoming then network.direction is mapped to INBOUND If Directionality is Outgoining then network.direction is mapped to OUTBOUND From is mapped to network.email.from InternetMessageId is mapped to network.email.mail_id Recipients is mapped to network.email.to Subject is mapped to network.email.subject |
Version | metadata.product_version |
CrmDefaultActivity
下表列出了操作“CrmDefaultActivity”和工作负载“CRM”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
CrmOrganizationUniqueName | principal.resource.name |
InstanceUrl | target.url |
ItemUrl | principal.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
Fields | about.labels.key/value |
EntityId | principal.labels.key/value |
EntityName | principal.labels.key/value |
Message | security_result.summary |
Query | security_result.description |
PrimaryFieldValue | about.labels.key/value |
CorrelationId | security_result.detection_fields.key/value. |
QueryResults | about.labels.key/value |
ServiceContextId | principal.labels.key/value |
ServiceContextIdType | about.labels.key/value |
ServiceName | principal.application |
SystemUserId | principal.labels.key/value |
Version | metadata.product_version |
TIMailData
下表列出了操作“TIMailData”和工作负载“ThreatIntelligence”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
ObjectId is set to metadata.product_log_id |
|
AttachmentData | about.file.full_path
about.file.mime_type about.file.sha256 security_result.category_details AttachmentData.FileName is mapped to about.file.full_path AttachmentData.FileType is mapped to about.file.mime_type AttachmentData.SHA256 is mapped to about.file.sha256 AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details |
DetectionType | security_result.summary |
DetectionMethod | security_result.description |
InternetMessageId | about.labels.key/value |
NetworkMessageId | about.labels.key/value |
P1Sender | principal.user.email_addresses |
P2Sender | network.email.from |
Policy | security_result.rule_name |
PolicyAction | security_result.action
PolicyAction is Quarantine then action is set to QUARANTINE PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION |
Recipients | network.email.to |
SenderIp | src.ip |
Subject | network.email.subject |
Verdict | security_result.category |
MessageTime | target.resource.attribute.labels.key/value |
EventDeepLink | metadata.url_back_to_product |
DeliveryAction | about.labels.key/value |
OriginalDeliveryLocation | about.labels.key/value |
LatestDeliveryLocation | about.labels.key/value |
Directionality | network.direction |
ThreatsAndDetectionTech | about.labels.key/value |
AdditionalActionsAndResults | about.labels.key/value |
Connectors | about.labels.key/value |
AuthDetails | about.labels.key/value |
PhishConfidenceLevel | about.labels.key/value |
Version | metadata.product_version |
SearchMtpStatus
下表列出了操作“SearchMtpStatus”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
Version | metadata.product_version |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RemovedFromSiteCollection
下表列出了操作“RemovedFromSiteCollection”和工作负载“SharePoint/OneDrive”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupType | target.group.group_display_name
target.user.userid target.user.email_addresses |
WebId | about.labels.key/value |
CorrelationId | security_result.detection_fields.key/value. |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
CommentsDisabled
下表列出了操作“CommentsDisabled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
WebId | about.labels.key/value |
UserAgent | network.http.user_agent |
ListItemUniqueId | principal.asset_id |
ListId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileRecycled
下表列出了操作“FileRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileExtension | target.file.mime_type |
UserSharedWith | target.labels.key/value |
SharingType | target.labels.key/value |
CorrelationId | security_result.detection_fields.key/value. |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
CommentsEnabled
下表列出了操作“CommentsEnabled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SourceFileExtension | target.file.mime_type |
SiteUrl | network.http.referral_url |
SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
ApplicationDisplayName | target.application |
FolderRecycled
下表列出了操作“FolderRecycled”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListItemUniqueId | principal.asset_id |
ListId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileExtension | target.file.mime_type |
UserSharedWith | target.labels.key/value |
SharingType | target.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
CorrelationId | security_result.detection_fields.key/value. |
WebId | about.labels.key/value |
FileTranscriptRequested
下表列出了操作“FileTranscriptRequested”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListItemUniqueId | principal.asset_id |
ListId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileExtension | target.file.mime_type |
UserSharedWith | target.labels.key/value |
SharingType | target.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
CorrelationId | security_result.detection_fields.key/value. |
WebId | about.labels.key/value |
WACTokenShared
下表列出了操作“WACTokenShared”和工作负载“SharePoint/OneDrive”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListItemUniqueId | principal.asset_id |
ListId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceFileExtension | target.file.mime_type |
UserSharedWith | target.labels.key/value |
SharingType | target.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
CorrelationId | security_result.detection_fields.key/value. |
WebId | about.labels.key/value |
更新标签
下表列出了操作“Update label.”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
SiteLocksChanged
下表列出了操作“SiteLocksChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteIBModeSet
下表列出了操作“SiteIBModeSet”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteDesignInvoked
下表列出了操作“SiteDesignInvoked”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
SiteDesignId is mapped to target.resource.attribute.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteContentTypeCreated
下表列出了操作“SiteContentTypeCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
ListTitle | about.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteCollectionQuotaModified
下表列出了操作“SiteCollectionQuotaModified”和工作负载“SharePoint”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ShortcutAdded
下表列出了操作“ShortcutAdded”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url | |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
SourceFileExtension | target.file.mime_type |
SiteUrl | network.http.referral_url |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SPOIBIsEnabled
下表列出了操作“SPOIBIsEnabled”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
WebAccessRequestApproverModified
下表列出了操作“WebAccessRequestApproverModified”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
ModifiedProperties | target.labels.key/value
if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
设置 TransportConfig
下表列出了操作“Set-TransportConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
AppId | target.labels.key/value |
Parameters | principal.user.email_addresses
principal.user.userid If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid |
Set-TenantObjectVersion
下表列出了操作“Set-TenantObjectVersion”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value
If Name is DomainController then Value is mapped to target.administrative_domain else target.labels.key/value |
设置收件人强制执行配置政策
下表列出了操作“Set-RecipientEnforcementProvisioningPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
Set-PolicyConfig
下表列出了操作“Set-PolicyConfig”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to ACCESS_POLICY |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
设置 OwaMailboxPolicy
下表列出了操作“Set-OwaMailboxPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
设置邮箱方案
下表列出了操作“Set-MailboxPlan”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
设置标签属性
下表列出了操作“Set-LabelProperties”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
SessionId | network.session_id |
设置标签
下表列出了操作“Set-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.labels.key/value |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
设置 ExchangeAssistanceConfig
下表列出了操作“Set-ExchangeAssistanceConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.url
target.labels.key/value If Name is PrivacyStatementURL then Value is mapped to target.url else target.labels.key/value |
设置条件访问政策
下表列出了操作“Set-ConditionalAccessPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
SessionID | network.session_id |
新建-ConditionalAccessPolicy
下表列出了操作“New-ConditionalAccessPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
SessionID | network.session_id |
RemovedSearchReport
下表列出了操作“RemovedSearchReport”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
获取隐私管理政策
下表列出了操作“Get-PrivacyManagementPolicy”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
设置保留合规性政策
下表列出了操作“Set-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
Parameters | target.process.command_line |
SearchTrialOffer
下表列出了操作“SearchTrialOffer”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchTIKustoClusterInformation
下表列出了操作“SearchTIKustoClusterInformation”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchMtpRoleInfo
下表列出了操作“SearchMtpRoleInfo”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchMailflowForwardingData
下表列出了操作“SearchMailflowForwardData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchDataInsightsSubscription
下表列出了操作“SearchDataInsightsSubscription”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchCustomerInsight
下表列出了操作“SearchCustomerInsight”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchConnectorReportData
下表列出了操作“SearchConnectorReportData”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchAlertAggregate
下表列出了操作“SearchAlertAggregate”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchAlert
下表列出了操作“SearchAlert”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
启用-AddressListPaging
下表列出了操作“Enable-AddressListPaging”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
安装-AdminAuditLogConfig
下表列出了操作“Install-AdminAuditLogConfig”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
AccessedAggregates
下表列出了操作“AccessedAggregates”和工作负载“Mip”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
DataType | security_result.description |
version | metadata.product_version |
AccessedSiteList
下表列出了操作“AccessedSiteList”和工作负载“Mip”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
DataType | security_result.description |
version | metadata.product_version |
安装数据分类配置
下表列出了操作“Install-DataClassificationConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
设置统一组
下表列出了操作“Set-UnifiedGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. if ResultStatus is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
SessionId | network.session_id |
ApplicableAdaptivePolicyChange
下表列出了操作“ApplicableAdaptivePolicyChange”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | security_result.detection_fields.key/value.
target.resource.product_object_id if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value. if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id |
ObjectType | security_result.summary |
获取 AppReservationComplianceRule
下表列出了操作“Get-App 保留 ComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{:target_resource_product_object_id}\ } } |
新建-App 保留合规性规则
下表列出了操作“New-AppReservationComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
ClientRequestId | principal.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.resource.name target.resource.product_object_id Extract Policy and Name using grok Name is mapped to target.resource.name Policy is mapped to target.resource.product_object_id |
StartTime | target.resource.attribute.creation_time |
新的应用保留合规性政策
下表列出了操作“New-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
ClientRequestId | principal.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
StartTime | target.resource.attribute.creation_time |
设置应用保留合规性政策
下表列出了操作“Set-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
StartTime | target.resource.attribute.creation_time |
安装默认共享政策
下表列出了操作“Install-DefaultsharingPolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
安装资源配置
下表列出了操作“Install-ResourceConfig”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
新邮箱
下表列出了操作“New-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
SessionId | network.session_id |
Add-MailboxFolderPermission(添加邮箱文件夹权限)
下表列出了操作“Add-MailboxFolderPermission”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.resource.name
target.user.user_display_name target.user.attribute.permissions.name target.labels.key/value If Name is Identity then Value is mapped to target.resource.name If Name is User then Value is mapped to target.user.user_display_name If Name is AccessRights then Value is mapped to target.user.attribute.permissions.name else target.labels.key/value |
新标签政策
下表列出了操作“New-LabelPolicy”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
新建标签
下表列出了操作“New-Label”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.resource.name |
StartTime | target.resource.attribute.creation_time |
UserServicePlan | principal.labels.key/value |
获取活动提醒
下表列出了操作“Get-ActivityAlert”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
Get-ProtectionAlert
下表列出了操作“Get-ProtectionAlert”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
SearchComplianceCase
下表列出了操作“SearchComplianceCase”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | about.labels.key/value |
UserServicePlan | principal.labels.key/value |
version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
移除合规性标记
下表列出了操作“Remove-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
移除了-App 保留合规性政策
下表列出了操作“Remove-App 保留 CompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
移除保留合规性政策
下表列出了操作“Remove-reservationCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
新的合规性标记
下表列出了操作“New-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
启用 ComplianceTagStorage
下表列出了操作“Enable-ComplianceTagStorage”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取合规性保留事件类型
下表列出了操作“Get-ComplianceComplianceEventType”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
AggregateActivityData
下表列出了操作“AggregateActivityData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | about.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
设置合规性标记
下表列出了操作“Set-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取 FilePlanPropertyStructure
下表列出了操作“Get-FilePlanPropertyStructure”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
新增-Compliance 保留事件类型
下表列出了操作“New-ComplianceKeepEventType”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is mapped to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line
target.resource.name target_resource_name is mapped to target.resource.name |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取 DlpSensitiveInformationTypeRulePackage
下表列出了操作“Get-DlpSensitiveInformationTypeRulePackage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取合规性保留事件
下表列出了操作“Get-ComplianceKeepEvent”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ComplianceSecurityFilter
下表列出了操作“ComplianceSecurityFilter”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取隔离邮件
下表列出了操作“Get-QuarantineMessage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
AggregateThreatProfileDetails
下表列出了操作“AggregateThreatProfileDetails”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | about.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
获取 DlpDetectionsReport
下表列出了操作“Get-DlpDetectionsReport”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
ClientApplication | principal.application |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
Parameters | target.process.command_line |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取应用保留合规性政策
下表列出了操作“Get-App 保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
添加角色群组成员
下表列出了操作“Add-RoleGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
SessionId | network.session_id |
更新-角色组成员
下表列出了操作“Update-RoleGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientVersion | metadata.product_version |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
SessionId | network.session_id |
新建角色群组
下表列出了操作“New-RoleGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
Version | metadata.product_version |
AppId | target.labels.key/value |
SessionId | network.session_id |
ClientAppId | target.labels.key/value |
配置合规性邮箱文件夹
下表列出了操作“Provision-ComplianceMailboxFolder”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientVersion | metadata.product_version |
version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | target.resource.product_object_id
target.labels.key/value need to discuss mapping of MultiStageReviewFolderSetting in parameter fields If Name is FolderName then Value is mapped to target.resource_product_object_id else target.labels.key/value |
移除邮箱
下表列出了操作“移除邮箱”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientVersion | metadata.product_version |
version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | target.resource.name
target.labels.key/value If Name is Identity then Value is mapped to target.resource.name else target.labels.key/value |
新隔离政策
下表列出了操作“New-QuarantinePolicy”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
ClientVersion | metadata.product_version |
version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | target.resource.name
target.labels.key/value If Name is Name then Value is mapped to target.resource.name All other parameters will map with target.labels.key/value |
SessionId | network.session_id |
获取角色群组
下表列出了操作“Get-RoleGroup”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
SearchLabelAnalyticsActivityData
下表列出了操作“SearchLabelAnalyticsActivityData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | about.labels.key/value |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
可获取 DlpCompliancePolicy
下表列出了操作“Get-DlpCompliancePolicy”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
UserServicePlan | principal.labels.key/value |
SearchSecurityRedirection
下表列出了操作“SearchSecurityRedirection”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | about.labels.key/value |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
获取合规性案例成员
下表列出了操作“Get-ComplianceCaseMember”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
HoldViewed
下表列出了操作“HoldViewed”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.category_details |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
获取 eDiscoveryCaseAdmin
下表列出了操作“Get-eDiscoveryCaseAdmin”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取角色群组成员
下表列出了操作“Get-RoleGroupMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取管理角色
下表列出了操作“Get-ManagementRole”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
设置角色群组
下表列出了操作“Set-RoleGroup”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.group.group_display_name
target.process.command_line Extract DisplayName using grok Name is mapped totarget.group.group_display_name |
Version | metadata.product_version |
ResultCountSecurityComplianceCenterEventType | about.labels.key/value |
获取 SecurityPrincipal
下表列出了操作“Get-SecurityPrincipal”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
Get-CaseHoldRule
下表列出了操作“Get-CaseHoldRule”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
ViewedSearchReport
下表列出了操作“ViewedSearchReport”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Version | metadata.product_version |
Case | metadata.description |
ExchangeLocations | security_result.summary |
ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
ObjectType | security_result.summary |
PublicFolderLocations | security_result.category_details |
Query | security_result.description |
SharepointLocations | security_result.category_details |
获取 AdaptiveScope
下表列出了操作“Get-AdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取保留合规性政策
下表列出了操作“Get-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
新的保留合规性政策
下表列出了操作“New-保留合规性政策”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
新建保留合规性规则
下表列出了操作“New-保留 ComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取合规性标记
下表列出了操作“Get-ComplianceTag”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
设置保留合规性规则
下表列出了操作“Set-ReserveComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取监管合规性界面
下表列出了操作“Get-RegulatoryComplianceUI”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
获取保留合规性规则
下表列出了操作“Get-keepComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
New-AdaptiveScope
下表列出了操作“New-AdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
启用-AdaptiveScopeStorage
下表列出了操作“Enable-AdaptiveScopeStorage”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
SearchCustomTag
下表列出了操作“SearchCustomTag”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | about.labels.key/value |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
设置监管合规性界面
下表列出了操作“Set-RegulatoryComplianceUI”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | target.process.command_line |
Version | metadata.product_version |
RemoveRetentionComplianceRule
下表列出了操作“RemoveComplianceComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | If Name is CmdletOptions then store value of Value in process_args variable.
If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} The name and value for the parameters that were used with the corresponding cmdlet. |
Version | metadata.product_version |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
ObjectType | security_result.summary |
NewAdaptiveScope
下表列出了操作“NewAdaptiveScope”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Parameters | principal.process.command_line
The name and value for the parameters that were used with the corresponding cmdlet. If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Version | metadata.product_version |
ObjectType | security_result.summary |
ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
CommentCreated
下表列出了操作“CommentCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SourceFileExtension | target.file.mime_type |
SiteUrl | network.http.referral_url |
SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
CommentId | about.labels.key/value |
DeviceAccessPolicyChanged
下表列出了操作“DeviceAccessPolicyChanged”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value. |
ModifiedProperties | target.labels.key/value |
HeartBeat
下表列出了操作“HeartBeat”和工作负载“Aip”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
Version | metadata.product_version |
MessageCreation
下表列出了操作“MessageCreation”和工作负载“Yammer”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
MessageID | target.resource.product_object_id |
ThreadViewed
下表列出了操作“ThreadViewed”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
ThreadID | about.labels.key/value |
StreamEditAdminGlobalRoleMembers
下表列出了操作“StreamEditAdminGlobalRoleMembers”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeGetTextTrack
下表列出了操作“StreamInvokeGetTextTrack”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeChannelView
下表列出了操作“StreamInvokeChannelView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeVideoMakePublic
下表列出了操作“StreamInvokeVideoMakePublic”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
StreamInvokeGroupView
下表列出了操作“StreamInvokeGroupView”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
设置在线目录租户
下表列出了操作“Set-CsOnlineDirectoryTenant”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
CmdletVersion | metadata.product_version |
Parameters | target.labels.key/value |
SkypeForBusinessEventType | about.labels.key/value |
TenantName | target.resource.product_object_id |
Version | metadata.product_version |
设置 CSS 托管语音信箱政策
下表列出了操作“Set-CsHostedVoicemailPolicy”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
CmdletVersion | metadata.product_version |
Parameters | target.administrative_domain
target.url target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain If Name is Destination then Value is mapped to target.url else target.labels.key/value |
SkypeForBusinessEventType | about.labels.key/value |
TenantName | target.resource.product_object_id |
Version | metadata.product_version |
获取 CSSimpleUrlConfiguration
下表列出了操作“Get-CSSimpleUrlConfiguration”和工作负载“SkypeForBusiness”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
CmdletVersion | metadata.product_version |
Parameters | target.administrative_domain
target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain else target.labels.key/value |
SkypeForBusinessEventType | about.labels.key/value |
TenantName | target.resource.product_object_id |
Version | metadata.product_version |
新建-ExchangeAssistanceConfig
下表列出了操作“New-ExchangeAssistanceConfig”和工作负载“Exchange”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
新建应用
下表列出了操作“New-App”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.labels.key/value |
SessionId | network.session_id |
PublishToWebReport
下表列出了操作“PublishToWebReport”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
ReportName | target.resource.name |
WorkspaceId | target.resource.attribute.labels.key/value |
DatasetId | target.resource.attribute.labels.key/value |
ReportId | target.resource.product_object_id |
ReportType | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UserAgent | network.http.user_agent |
DistributionMethod | about.labels.key/value |
UpdateGateway
下表列出了操作“UpdateGateway”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
SwitchState | about.labels.key/value |
WorkSpaceName | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
RequestId | about.labels.key/value |
GatewayId | target.resource.product_object_id |
ShareDataset
下表列出了操作“ShareDataset”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
WorkspaceId | target.resource.attribute.labels.key/value |
ArtifactId | target.resource.product_object_id |
ArtifactName | target.resource.name |
RequestId | about.labels.key/value |
ActivityId | principal.labels.key/value |
UserAgent | network.http.user_agent |
SharingAction | about.labels.key/value |
GetRefreshablesAsAdmin
下表列出了操作“GetRefreshablesAsAdmin”和工作负载“PowerBI”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
RequestId | about.labels.key/value |
UserAgent | network.http.user_agent |
ActivityId | principal.labels.key/value |
CreateTagJob
下表列出了操作“CreateTagJob”和工作负载“Compliance”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
CaseID | target.resource.product_object_id |
CaseName | target.resource.name |
EndTime | target.resource.attribute.last_update_time |
ExtendedProperties | target.resource.attribute.labels.key/value |
StartTime | target.resource.attribute.creation_time |
添加委托授予权限
下表列出了操作 Add delegated permission grant
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
Version | metadata.product_version
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | target.resource.product_object_id
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If |
TargetContextId | target.labels.key/value
|
向服务主账号添加应用角色分配
下表列出了“向服务主账号添加应用角色分配”操作和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summary If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
应用更新
下表列出了操作“Update to application”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
更新应用 - 证书和密钥管理
下表列出了操作 Update application – Certificates and secrets management
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
if |
|
Version | metadata.product_version
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
|
TargetContextId | target.labels.key/value
|
向应用添加所有者
下表列出了“将所有者添加到应用”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Application.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.labels.key/value |
TargetContextId | target.labels.key/value |
添加到应用
下表列出了操作“添加到应用”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
添加设备配置
下表列出了“添加设备配置”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
添加未经验证的域名
下表列出了操作“添加未验证的网域”和工作负载“AzureActiveDirectory”的操作日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.name
security_result.summary If Name is Name then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
添加政策
下表列出了操作“添加政策”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
CreateResponse
下表列出了操作“CreateResponse”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
EditForm
下表列出了操作“EditForm”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
SubmitResponse
下表列出了操作“SubmitResponse”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
ViewResponses
下表列出了操作“ViewResponses”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
ViewRuntimeForm
下表列出了操作“ViewRuntimeForm”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
DeleteFlow
下表列出了操作“DeleteFlow”和工作负载“MicrosoftForms”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
FormsUserTypes | target.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
ListViewed
下表列出了操作“ListViewed”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ItemCount | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
TemplateTypeId | about.labels.key/value |
ListColumnUpdated
下表列出了操作“ListColumnUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ListContentTypeUpdated
下表列出了操作“ListContentTypeUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ListItemDeleted
下表列出了操作“ListItemDeleted”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ListUpdated
下表列出了操作“ListUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
TemplateTypeId | about.labels.key/value |
ApplicationDisplayName | target.application |
ItemCount | target.labels.key/value |
ListItemCreated
下表列出了操作“ListItemCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
TemplateTypeId | about.labels.key/value |
ItemCount | target.labels.key/value |
ListColumnCreated
下表列出了操作“ListColumnCreated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
TemplateTypeId | about.labels.key/value |
ItemCount | target.labels.key/value |
SiteContentTypeUpdated
下表列出了操作“SiteContentTypeUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ListItemViewed
下表列出了操作“ListItemViewed”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
ItemCount | target.labels.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListItemUniqueId | principal.asset_id |
ListItemUpdated
下表列出了操作“ListItemUpdated”和工作负载“SharePoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | medata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
WebId | about.labels.key/value |
target.file.size | target.labels.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListItemUniqueId | principal.asset_id |
FileRenamed
下表列出了操作“FileRenamed”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE | |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileType | target.resource.attribute.labels.key/value |
PreviousFileName | src.file.full_path |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
UpdatePowerApp
下表列出了操作“UpdatePowerApp”和工作负载“PowerApps”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
AppName | target.labels.key/value |
Id | metadata.product_log_id |
SubscribedToMessages
下表列出了操作“SubscribedToMessages”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
ExtraProperties | additional.fields.key/value.string_value |
SubscriptionId | target.resource.attribute.labels.key/value |
OperationScope | about.labels.key/value |
Version | metadata.product_version |
MessageCreatedNotification
下表列出了操作“MessageCreatedNotification”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
MessageId | target.resource.product_object_id |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
MessageVersion | target.resource.attribute.labels.key/value |
SubscriptionId | target.resource.attribute.labels.key/value |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
OperationScope | about.labels.key/value |
Version | metadata.product_version |
MessageUpdatedNotification
下表列出了操作“MessageUpdatedNotification”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
MessageId | target.resource.product_object_id |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
MessageVersion | target.resource.attribute.labels.key/value |
SubscriptionId | target.resource.attribute.labels.key/value |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
OperationScope | about.labels.key/value |
Version | metadata.product_version |
MessageCreatedHasLink
下表列出了操作“MessageCreatedHasLink”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
MessageId | target.resource.product_object_id |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
SubscriptionId | target.resource.attribute.labels.key/value |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
CommunicationType | about.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
MessageVersion | target.resource.attribute.labels.key/value |
OperationScope | about.labels.key/value |
Version | metadata.product_version |
MessagesListed
下表列出了操作“MessagesListed”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
ChannelGuid | target.resource.product_object_id |
AADGroupId | target.labels.key/value |
CommunicationType | about.labels.key/value |
OperationScope | about.labels.key/value |
TeamGuid | target.user.group_identifiers and target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
PerformedCardAction
下表列出了操作“PerformedCardAction”和工作负载“MicrosoftTeams”的日志字段以及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AddOnGuid | target.labels.key/value |
AddOnName | target.labels.key/value |
AddOnType | target.labels.key/value |
ChannelGuid | target.resource.product_object_id |
ChannelName | target.resource.name |
ChannelType | target.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
CommunicationType | about.labels.key/value |
TeamGuid | target.user.group_identifiers and target.group.product_object_id |
TeamName | target.group.group_display_name |
Version | metadata.product_version |
MessageEditedHasLink
下表列出了操作“MessageEditedHasLink”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
MessageId | target.resource.product_object_id |
MessageURLs | target.resource.attribute.labels.key/value |
MessageSizeInBytes | target.resource.attribute.labels.key/value |
SubscriptionId | target.resource.attribute.labels.key/value |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
CommunicationType | about.labels.key/value |
ExtraProperties | additional.fields.key/value.string_value |
MessageVersion | target.resource.attribute.labels.key/value |
OperationScope | about.labels.key/value |
Version | metadata.product_version |
MeetingParticipantDetail
下表列出了操作“MeetingPARTICIPANTDetail”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
Attendees | about.resource.product_object_id
about.user.product_object_id about.user.attribute.roles.name OrganizationId is mapped to about.resource.product_object_id Role is mapped to about.user.attribute.roles.name UserObjectId is set to about.user.product_object_id |
ExtraProperties | additional.fields.key/value.string_value |
JoinTime | target.resource.attribute.creation_time |
LeaveTime | target.resource.attribute.last_update_time |
MeetingDetailId | target.resource.product_object_id |
Version | metadata.product_version |
MeetingDetail
下表列出了操作“MeetingDetail”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
StartTime | target.resource.attribute.creation_time |
EndTime | target.resource.attribute.last_update_time |
ExtraProperties | additional.fields.key/value.string_value |
MeetingURL | target.url |
MessageId | target.resource.product_object_id |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
CommunicationType | about.labels.key/value |
Modalities | security_result.summary |
Organizer | principal.user.product_object_id |
Version | metadata.product_version |
MessageUpdated
下表列出了操作“MessageUpdated”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
ExtraProperties | additional.fields.key/value.string_value |
MessageVersion | target.resource.attribute.labels.key/value |
MessageId | target.resource.product_object_id |
ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
CommunicationType | about.labels.key/value |
Version | metadata.product_version |
AggregateTransportQueueData
下表列出了操作“AggregateTransportQueueData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AuthorizeCustomerInsight
下表列出了操作“AuthorizeCustomerInsight”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AuthorizeConnectorReportData
下表列出了操作“AuthorizeConnectorReportData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchAlertOverride
下表列出了操作“SearchAlertOverride”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AuthorizeMailflowForwardingData
下表列出了操作“AuthorizeMailflowForwardData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchDomainTrafficStatus
下表列出了操作“SearchDomainTrafficStatus”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchAlertActivity
下表列出了操作“SearchAlertActivity”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AggregateMailmetadata
下表列出了操作“AggregateMailmetadata”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
InsightGenerated
下表列出了操作“InsightGenerated”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
Category | security_result.category_details |
Description | security_result.description |
InsightId | target.resource.product_object_id |
Name | target.resource.name |
Version | metadata.product_version |
UserSubmission
下表列出了操作“UserSubmission”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is MAIL_SPAM |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
ClientApplication | principal.application |
KesMailId | network.email.mail_id |
ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
P1SenderDomain | principal.administrative_domain |
Recipients | network.email.to |
SenderIP | principal.ip |
Subject | network.email.subject |
P2Sender | network.email.from |
SubmissionState | security_result.summary |
P1Sender | principal.user.email_addresses |
Version | metadata.product_version |
SaveRoleGroupMember
下表列出了操作“SaveRoleGroupMember”和工作负载“SecurityComplianceCenter”的日志字段及对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AggregateCampaignIntelligenceData
下表列出了操作“AggregateCampaignIntelligenceData”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchEmailTimelineEvents
下表列出了操作“SearchEmailTimelineEvents”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
SearchAlertStory
下表列出了操作“SearchAlertStory”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
AggregateThreatDetailsBulk
下表列出了操作“AggregateThreatDetailsBulk”和工作负载“SecurityComplianceCenter”的日志字段和相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
获取用户
下表列出了操作“Get-User”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | target.process.command_line
target.resource.product_object_id |
ClientApplication | principal.application |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
Get-DlpComplianceRule
下表列出了操作“Get-DlpComplianceRule”和工作负载“SecurityComplianceCenter”的日志字段及相应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | target.process.command_line
target.resource.product_object_id |
ClientApplication | principal.application |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
AnalyzedByExternalApplication
下表列出了操作“AnalyzedByExternalApplication”和工作负载“Power BI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.name |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.attribute.labels.key/value |
SwitchState | about.labels.key/value |
ActivityId | principal.labels.key/value |
UserAgent | network.http.user_agent |
RequestId | about.labels.key/value |
新的迁移批次
下表列出了操作“New-MigrationBatch”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.resource.name
target.administrative_domain target.resource.attribute.key/value If Name is Name then Value is mapped to target.resource.name if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain If Name is AutoStart then Value is mapped to target.resource.attribute.key/value If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value |
SessionId | network.session_id |
UserSubmissionTriage
下表列出了操作“UserSubmissionTriage”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is set to MAIL_SPAM |
|
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | about.labels.key/value |
ClientApplication | principal.application |
Version | metadata.product_version |
ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
GradingResult | security_result.category_details |
KesMailId | network.email.mail_id |
P1Sender | principal.user.email_addresses |
P1SenderDomain | principal.administrative_domain |
P2Sender | network.email.from |
Recipients | network.email.to |
SenderIP | principal.ip |
Subject | network.email.subject |
SubmissionState | security_result.summary |
FileArchived
下表列出了操作“FileArchive”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED | |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
FileCreatedOnNetworkShare
下表列出了操作“FileCreatedOnNetworkShare”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_CREATION | |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
FileCreatedOnRemovableMedia
下表列出了操作“FileCreatedOnRemovableMedia”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_CREATION | |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
SlimFilePrinted
下表列出了操作“SlimFilePrinted”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
Application | target.application |
DeviceName | target.hostname |
FileType | target.resource.attribute.labels.key/value |
TargetPrinterName | target.asset.hostname |
Version | metadata.product_version |
FilePrinted
下表列出了操作“FilePrinted”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetPrinterName | target.asset.hostname |
Version | metadata.product_version |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
PreviousFileName | src.file.full_path |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
ArchiveCreated
下表列出了操作“ArchiveCreated”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED | |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
FileDownloadedFromBrowser
下表列出了操作“FileDownloadedFromBrowser”和工作负载“Endpoint”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
Application | target.application |
DestinationLocationType | target.labels.key/value |
DeviceName | target.hostname |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
TargetFilePath | target.file.full_path |
Version | metadata.product_version |
为用户创建应用专用密码
下表列出了“为用户创建应用密码”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
SearchNdrDetailData
下表列出了操作“SearchNdrDetailData”和工作负载“SecurityComplianceCenter”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
StartTime | target.resource.attribute.creation_time |
ClientRequestId | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
UserServicePlan | principal.labels.key/value |
Parameters | target.process.command_line
target.resource.product_object_id |
ClientApplication | principal.application |
Version | metadata.product_version |
SecurityComplianceCenterEventType | about.labels.key/value |
AadAppId | target.labels.key/value |
DatabaseType | target.resource.attribute.labels.key/value |
DataType | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
MessageUpdated
下表列出了操作“MessageUpdated”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
访问权限
下表列出了操作“访问”和工作负载“Aip”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
DataState | security_result.summary |
Version | metadata.product_version |
探索
下表列出了操作“Discover”和工作负载“Aip”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
DataState | security_result.summary |
Version | metadata.product_version |
TIUrlClickData
下表列出了操作“TIUrlClickData”和工作负载“ThreatIntelligence”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
AppName | target.application |
AppVersion | metadata.product_version |
EventDeepLink | metadata.url_back_to_product |
SourceId | AppName is Mail then SourceId is mapped to network.email.id |
Url | target.url |
UserIp | principal.ip |
Version | metadata.product_version |
设备已不再受管理
下表列出了操作“设备已不再进行管理”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is set to DEVICE |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.asset.product_object_id
target.platform If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
AirInvestigationData
下表列出了操作“AirInvestigationData”和工作负载“AirInvestigation”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
LastUpdateTimeUtc | target.resource.attribute.last_update_time |
Status | security_result.summary |
InvestigationId | target.resource.product_object_id |
InvestigationType | target.resource.attribute.labels.key/value |
Data | security_result.description
security_result.category_details network.email.to network.email.from network.email.mail_id network.email.subject network.direction principal.ip principal.administrative_domain principal.user.email_addresses Data.Description is mapped to security_result.description Data.Category is mapped to security_result.category_details Data.Entities.1.Recipient is mapped to network.email.to Data.Entities.1.Sender is mapped to network.email.from Data.Entities.1.InternetMessageId is mapped to network.email.mail_id Data.Entities.1.Subject is mapped to network.email.subject Data.Entities.1.AntispamDirection is mapped to network.direction Data.Entities.1.SenderIP is mapped to principal.ip Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain Data.Entities.1.P1Sender is mapped to principal.user.email_addresses |
InvestigationName | target.resource.name |
StartTimeUtc | target.resource.attribute.creation_time |
Version | metadata.product_versionn |
DeepLinkUrl | metadata.url_back_to_product |
设置邮箱 JunkEmailConfiguration
下表列出了操作“Set-MailboxJunkEmailConfiguration”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
OriginatingServer | principal.hostname |
OrganizationName | target.administrative_domain |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
Parameters | target.user.email_addresses
If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated) |
SessionId | network.session_id |
Version | metadata.product_version |
新分发组
下表列出了操作“New-DistributionGroup”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Member then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
SessionId | network.session_id |
添加-分发组成员
下表列出了操作“Add-DistributionGroupMember”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid else target.group.attribute.labels.key/value |
SessionId | network.session_id |
移除收件箱规则
下表列出了操作“Remove-InboxRule”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | security_result.rule_labels.key/value |
SessionId | network.session_id |
启用-邮箱
下表列出了操作“Enable-Mailbox”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value |
SessionId | network.session_id |
导入
下表列出了操作“导入”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED | |
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.name |
WorkspaceId | target.resource.product_object_id |
SwitchState | about.labels.key/value |
ImportSource | about.labels.key/value |
ImportType | target.file.mime_type |
ImportDisplayName | target.file.full_path |
设备不再合规
下表列出了操作“设备不再符合规定”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to DEVICE |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.resource.product_object_id If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
启用账号
下表列出了操作 Enable account
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
version | metadata.product_version
|
TargetContextId | target.labels.key/value
|
添加服务主账号凭据
下表列出了“添加服务主账号凭据”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
设置同步用户
下表列出了操作“Set-SyncUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
SessionId | network.session_id |
MessageSent
下表列出了操作“MessageSent”和工作负载“MicrosoftTeams”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
MessageSizeInBytes | target.resource.attribute.labels.key/value |
ChannelGuid | target.labels.key/value |
OperationScope | about.labels.key/value |
TeamGuid | target.user.group_identifiers
target.group.product_object_id |
TeamName | target.group.group_display_name |
AADGroupId | target.labels.key/value |
CommunicationType | about.labels.key/value |
MessageId | target.resource.product_object_id |
Version | metadata.product_version |
MessageVersion | target.resource.attribute.labels.key/value |
移除服务主账号凭据
下表列出了操作“移除服务主凭据”和工作负载“AzureActiveDirectory”的操作日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
移除-移动请求
下表列出了操作“Remove-MoveRequest”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value |
StreamInvokeGetTranscript
下表列出了操作“StreamInvokeGetTranscript”和工作负载“MicrosoftStream”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_COMMUNICATION | |
ClientApplicationId | principal.labels.key/value |
EntityPath | metadata.url.back_to_product |
OperationDetails | metadata.description |
ResourceTitle | target.resource.name |
ResourceUrl | target.url |
Version | metadata.product_version |
从群组中移除所有者
下表列出了操作“从群组中移除所有者”和工作负载“AzureActiveDirectory”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
向群组添加应用角色分配
下表列出了“向群组添加应用角色分配”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name target.group.group_display_name If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
停用邮件用户
下表列出了操作“Disable-MailUser”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is True Action is set to BLOCK |
|
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
新建 - FolderMoveRequest
下表列出了操作“New-FolderMoveRequest”和工作负载“Exchange”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
Version | metadata.product_version |
AppId | target.labels.key/value |
ClientAppId | target.labels.key/value |
OrganizationName | target.administrative_domain |
OriginatingServer | principal.hostname |
Parameters | If Name is Name then Value is mapped to target.resource.name
If Name is DomainController then Value is mapped to target.administrative_domain If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value |
向政策添加所有者
下表列出了“将所有者添加到政策”和工作负载“AzureActiveDirectory”操作的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent
if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id
If Name is Policy.DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
version | metadata.product_version |
TargetContextId | target.labels.key/value |
EditContentProviderProperties
下表列出了操作“EditContentProviderProperties”和工作负载“PowerBI”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
AppName | target.labels.key/value |
DashboardName | target.resource.attribute.labels.key/value |
DataClassification | target.labels.key/value |
DatasetName | target.resource.attribute.labels.key/value |
OrgAppPermission | We map this field based on value of UpdateApp Operation value.
recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
ReportName | target.resource.attribute.labels.key/value |
SharingInformation | RecipientEmail is mapped to about.user.email_addresses
RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
WorkSpaceName | target.resource.name |
WorkspaceId | target.resource.product_object_id |
SwitchState | about.labels.key/value |
ContentProviderCertificationStage | security_result.summary |
AppId | target.labels.key/value |
RequestId | about.labels.key/value |
ReportingAccessed
下表列出了操作“ReportingAccessed”和工作负载“Project”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
Version | metadata.product_version |
Action | security_result.description |
OnBehalfOfResId | about.labels.key/value |
GroupAccessFailure
下表列出了操作“GroupAccessFailure”和工作负载“Yammer”的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
ActorUserId | principal.user.email_addresses
principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
DataExportType | target.resource.attribute.labels.key/value |
FileId | target.resource.product_object_id |
FileName | target.file.full_path |
GroupName | target.group.group_display_name |
IsSoftDelete | security_result.description is set to IsSoftDelete - {IsSoftDelete} |
MessageId | target.resource.product_object_id |
YammerNetworkId | principal.labels.key/value |
TargetUserId | target.user.email_addresses |
TargetYammerUserId | target.labels.key/value |
VersionId | about.labels.key/value |
Version | metadata.product_version |
FileSensitivityLabelChanged
下表列出了操作 FileSensitivityLabelChanged
和工作负载 SharePoint/OneDrive
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
|
|
AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
CorrelationId | security_result.detection_fields.key/value |
DestinationFileExtension | target.file.mime_type |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationLabel | target.labels |
EventSource | principal.application |
HighPriorityMediaProcessing | about.labels |
IsManagedDevice | about.labels |
ItemType | target.resource.attribute.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ListServerTemplate | security_result.detection_fields.key/value |
SensitivityLabelEventData.ActionSource | principal.labels.key/value |
SensitivityLabelEventData.LabelEventType | target.labels.key/value |
SensitivityLabelEventData.OldSensitivityLabelId | target.resource.product_object_id |
SensitivityLabelEventData.OldSensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
SourceRelativeUrl | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
SourceLabel | src.labels.key/value |
UserAgent | network.http.user_agent |
UserKey | target.labels |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileRead
下表列出了操作 FileRead
和工作负载 Endpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_READ
|
|
Application | principal.application |
DeviceName | target.hostname |
DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
EnforcementMode | target.labels |
FileExtension | target.file.mime_type |
FileSize | target.file.size |
FileType | target.resource.attribute.labels.key/value |
Hidden | security_result.detection_fields.key/value |
JitTriggered | security_result.detection_fields.key/value |
MDATPDeviceId | security_result.detection_fields.key/value |
PolicyMatchInfo | target.resource.product_object_id
|
RMSEncrypted | security_result.detection_fields.key/value |
SensitiveInfoTypeData | security_result.detection_fields.key/value
|
SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
Sha1 | target.file.sha1 |
Sha256 | target.file.sha256 |
SourceLocationType | principal.labels.key/value |
MessageReadReceiptReceived
下表列出了操作 MessageReadReceiptReceived
和工作负载 MicrosoftTeams
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE |
|
ChatThreadId | target.user.group_identifiers
|
CommunicationType | about.labels.key/value |
MessageId | target.resource.product_object_id |
MessageVersion | target.resource.attribute.labels.key/value |
MessageVisibilityTime | target.resource.attribute.labels.key/value |
ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value |
ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value |
ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value |
ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value |
ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value |
搜索
下表列出了操作 Search
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED |
|
AadAppId | target.labels.key/value |
RelativeUrl | target.url |
ResultCount | target.labels.key/value |
Version | metadata.product_version |
DataType | security_result.description |
TaskDeleted
下表列出了操作 TaskDeleted
和工作负载 MicrosoftTodo
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_DELETION
|
|
ActorAppId | target.labels.key/value |
ItemId | security_result.detection_fields.key/value |
ItemType | target.resource.attribute.labels.key/value |
TargetActorId | target.labels.key/value |
TargetActorTenantId | target.labels.key/value |
TaskUpdated
下表列出了操作 TaskUpdated
和工作负载 MicrosoftTodo
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN
|
|
ActorAppId | target.labels.key/value |
ItemId | security_result.detection_fields.key/value |
ItemType | target.resource.attribute.labels.key/value |
TargetActorId | target.labels.key/value |
TargetActorTenantId | target.labels.key/value |
TaskCreation
下表列出了操作 TaskCreation
和工作负载 MicrosoftTodo
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_CREATION
|
|
ActorAppId | target.labels.key/value |
ItemId | security_result.detection_fields.key/value |
ItemType | target.resource.attribute.labels.key/value |
TargetActorId | target.labels.key/value |
TargetActorTenantId | target.labels.key/value |
SecurityGroupModified
下表列出了操作 SecurityGroupModified
和工作负载 Project
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION |
|
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
UserKey | target.labels |
Version | metadata.product_version |
AppAccessContext.UniqueTokenId | target.labels |
AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
LaunchPowerApp
下表列出了操作 LaunchPowerApp
和工作负载 PowerApps
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT |
|
AppName | target.labels.key/value
|
Version | metadata.product_version |
DeleteDatasetRows
下表列出了操作 DeleteDatasetRows
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION .
If
else |
|
UserAgent | network.http.user_agent
|
WorkSpaceName | target.resource.attribute.labels.key/value
|
DatasetName | target.resource.attribute.labels.key/value
|
WorkspaceId | target.resource.attribute.labels.key/value
|
DatasetId | target.resource.product_object_id
|
DataConnectivityMode | target.resource.attribute.labels.key/value
|
ArtifactId | target.resource.attribute.labels.key/value
|
RequestId | about.labels.key/value
|
ActivityId | principal.labels.key/value
|
TableName | target.resource.attribute.labels.key/value
|
LastRefreshTime | about.labels.key/value
|
ArtifactKind | target.resource.attribute.labels.key/value
|
新增-Dlp 合规性政策
下表列出了操作 New-DlpCompliancePolicy
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
|
|
ClientApplication | principal.labels.key/value
|
CmdletVersion | metadata.product_version
|
EffectiveOrganization | target.administrative_domain
|
ObjectId | target.resource.product_object_id
|
Parameters | target.process.command_line
|
SecurityComplianceCenterEventType | about.labels.key/value
|
StartTime | target.resource.attribute.creation_time
|
UserKey | target.labels
|
UserServicePlan | principal.labels.key/value
|
Version | metadata.product_version
|
新建-DlpComplianceRule
下表列出了操作 New-DlpComplianceRule
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
|
|
ClientApplication | principal.labels.key/value
|
CmdletVersion | metadata.product_version
|
EffectiveOrganization | target.administrative_domain
|
ObjectId | target.resource.product_object_id
|
Parameters | target.process.command_line
|
SecurityComplianceCenterEventType | about.labels.key/value
|
StartTime | target.resource.attribute.creation_time
|
UserKey | target.labels
|
UserServicePlan | principal.labels.key/value
|
Version | metadata.product_version
|
获取内部风险政策
下表列出了操作 Get-InsiderRiskPolicy
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
|
|
ClientApplication | principal.labels.key/value
|
CmdletVersion | metadata.product_version
|
EffectiveOrganization | target.administrative_domain
|
ObjectId | target.resource.product_object_id
|
Parameters | target.process.command_line
|
SecurityComplianceCenterEventType | about.labels.key/value
|
StartTime | target.resource.attribute.creation_time
|
UserKey | target.labels
|
UserServicePlan | principal.labels.key/value
|
Version | metadata.product_version
|
设置 HostingContentFilterPolicy
下表列出了操作 Set-HostedContentFilterPolicy
和工作负载 Exchange
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
If
else |
|
ExternalAccess | about.labels.key/value
|
ObjectId | target.resource.product_object_id
|
Version | metadata.product_version
|
Parameters | target.resource.attribute.labels.key/value
|
UserKey | target.labels.key/value
|
启用强式身份验证。
下表列出了操作 Enable Strong Authentication.
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS .
|
|
ExtendedProperties | If Name is equal to additionalDetails then User-Agent is mapped with network.http.user_agent
else if else |
ModifiedProperties | If Name is equal to Included Updated Properties then NewValue is mapped with security_result.summary
else |
ReactedToMessage
下表列出了操作 ReactedToMessage
和工作负载 MicrosoftTeams
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
|
AppAccessContext.IssuedAtTime | target.labels.key/value
|
AppAccessContext.UniqueTokenId | target.labels.key/value
|
ChatThreadId | target.user.group_identifiers
|
ChatThreadId | target.group.product_object_id
|
MessageReactionType | target.resource.attribute.labels.key/value
|
ChatName | target.group.group_display_name
|
MessageId | target.resource.product_object_id
|
ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value
|
ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value
|
ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value
|
ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value
|
ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value
|
RemovableMediaUnmount
下表列出了操作 RemovableMediaUnmount
和工作负载 Endpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED .
|
|
MDATPDeviceId | target.asset.asset_id
|
Platform | target.labels.key/value
|
Scope | target.labels.key/value
|
RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
FileUploadedToCloud
下表列出了操作 FileUploadedToCloud
和工作负载 Endpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC .
|
|
DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value
|
DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value
|
EnforcementMode | target.labels.key/value
|
EvidenceFile.FullUrl | target.file.full_path
|
EvidenceFile.StorageName | target.file.names
|
Hidden | security_result.detection_fields.key/value
|
JitTriggered | security_result.detection_fields.key/value
|
MDATPDeviceId | security_result.detection_fields.key/value
|
SensitiveInfoTypeData.Count | security_result.detection_fields.key/value
|
SensitiveInfoTypeData.Confidence | security_result.detection_fields.key/value
|
SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value
|
TargetPrinterName | target.asset.hostname
|
target.asset.type is set to PRINTER | |
TargetDomain | target.labels.key/value
|
GenerateDataflowSasToken
下表列出了操作 GenerateDataflowSasToken
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS .
|
|
DataflowAccessTokenRequestParameters.entityName | principal.labels.key/value
|
DataflowAccessTokenRequestParameters.partitionUri | principal.labels.key/value
|
DataflowAccessTokenRequestParameters.permissions | principal.labels.key/value
|
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes | principal.labels.key/value
|
DataflowId | target.resource.product_object_id
|
DataflowName | target.resource.name
|
IsSuccess |
If
else |
ItemName | target.labels.key/value |
GenerateScreenshot
下表列出了操作 GenerateScreenshot
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
|
MDCAssessments
下表列出了操作 MDCAssessments
和工作负载 CompliancePostureManagement
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED .
|
|
PropertyBag.AssessmentStatusPerInitiative.ArnEventId | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.CloudProvider | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.CustomerResourceId | about.resource.product_object_id
|
PropertyBag.AssessmentStatusPerInitiative.EventType | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.ResourceName | about.resource.name
|
PropertyBag.AssessmentStatusPerInitiative.ResourceType | about.resource.resource_subtype
|
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.StatusCode | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.SubscriptionId | about.labels.key/value
|
PropertyBag.AssessmentStatusPerInitiative.SubscriptionName | about.labels.key/value
|
PropertyBag.DataType | about.labels.key/value |
RemovableMediaMount
下表列出了操作 RemovableMediaMount
和工作负载 Endpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED .
|
|
MDATPDeviceId | target.asset.asset_id
|
Platform | target.labels.key/value
|
Scope | target.labels.key/value
|
RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
SignInEvent
下表列出了操作 SignInEvent
和工作负载 SharePoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED .
|
|
AuthenticationType | principal.labels.key/value
|
BrowserName | principal.labels.key/value
|
BrowserVersion | principal.labels.key/value
|
DeviceDisplayName | principal.labels.key/value
|
IsManagedDevice | principal.labels.key/value
|
ApprovedRequest
下表列出了操作 ApprovedRequest
和工作负载 MicrosoftTeams
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS .
|
|
ItemName | target.labels.key/value
|
CreateForm
下表列出了操作 CreateForm
和工作负载 MicrosoftForms
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION .
|
|
FormsUserType | target.labels.key/value
|
SourceApp | principal.application
|
ListForms
下表列出了操作 ListForms
和工作负载 MicrosoftForms
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
MDCRegulatoryComplianceAssessments
下表列出了操作 MDCRegulatoryComplianceAssessments
和工作负载 CompliancePostureManagement
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED .
|
|
PropertyBag.DataType | about.labels.key/value
|
PropertyBag.Policy.ArnEventId | about.labels.key/value
|
PropertyBag.Policy.Description | about.labels.key/value
|
PropertyBag.Policy.DetailsLink | about.labels.key/value
|
PropertyBag.Policy.EventTime | about.labels.key/value
|
PropertyBag.Policy.EventType | about.labels.key/value
|
PropertyBag.Policy.PolicyInitiativeId | about.labels.key/value
|
PropertyBag.Policy.PolicyInitiativeName | about.labels.key/value
|
PreviewForm
下表列出了操作 PreviewForm
和工作负载 MicrosoftForms
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS .
|
ViewedApprovalRequest
下表列出了操作 ViewedApprovalRequest
和工作负载 MicrosoftTeams
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS .
|
|
ItemName | target.labels.key/value
|
ListCreated
下表列出了操作 ListCreated
和工作负载 SharePoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
|
AppAccessContext.UniqueTokenId | target.labels.key/value
|
ListColor | target.labels.key/value
|
ListIcon | target.labels.key/value
|
SiteColumnCreated
下表列出了操作 SiteColumnCreated
和工作负载 OneDrive
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
|
ObjectId | target.resource.product_object_id
|
ListViewUpdated
下表列出了操作 ListViewUpdated
和工作负载 SharePoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
|
AppAccessContext.UniqueTokenId | target.labels.key/value |
AuthenticationType | principal.labels.key/value |
BrowserName | principal.labels.key/value |
BrowserVersion | principal.labels.key/value |
CustomizedDoclib | principal.labels.key/value |
DeviceDisplayName | principal.labels.key/value |
FromApp | principal.labels.key/value |
IsManagedDevice | principal.labels.key/value |
ItemCount | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
ListBaseTemplateType | target.labels.key/value |
ListBaseType | target.labels.key/value |
ListColor | target.labels.key/value |
ListIcon | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListTitle | about.labels.key/value |
ObjectId | target.url |
Platform | target.labels.key/value |
RecordType | security_result.detection_fields.key/value |
Site | target.labels.key/value |
Source | security_result.description |
TemplateTypeId | about.labels.key/value |
WebId | about.labels.key/value |
TeamsUserSignedOut
下表列出了操作 TeamsUserSignedOut
和工作负载 MicrosoftTeams
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGOUT .
|
|
extension.auth.auth_type is mapped to SSO .
|
|
ChannelGuid | target.labels.key/value |
ChannelName | target.labels.key/value |
ChatName | target.group.group_display_name |
ChatThreadId | target.user.group_identifiers |
DeviceInformation | principal.labels.key/value |
ItemName | target.labels.key/value |
MessageId | target.labels.key/value |
MessageVersion | target.labels.key/value |
ObjectId | target.labels.key/value |
TeamGuid | target.group.product_object_id |
TeamName | target.group.group_display_name |
UserKey | target.labels.key/value |
UserType | target.user.attribute.roles |
Version | metadata.product_version |
GetWorkspaces
下表列出了操作 GetWorkspaces
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
Activity | about.labels.key/value |
ActivityId | about.labels.key/value |
AggregatedWorkspaceInformation.WorkspaceCount | target.labels.key/value |
AggregatedWorkspaceInformation.WorkspacesByCapacitySku | target.labels.key/value |
AggregatedWorkspaceInformation.WorkspacesByType | target.labels.key/value |
IsSuccess | security_result.action |
UserAgent | network.http.user_agent |
ConnectFromExternalApplication
下表列出了操作 ConnectFromExternalApplication
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
Activity | about.labels.key/labels |
CustomData | about.labels.key/value |
TaskListRead
下表列出了操作 TaskListRead
和工作负载 Planner
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
UserKey | principal.labels.key/labels |
ObjectId | target.labels.key/labels |
TaskList | target.labels.key/value |
PutConnection
下表列出了操作 PutConnection
和工作负载 PowerApps
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE . |
|
ObjectId | target.labels.key/value |
Version | metadata.product_version |
AdditionalInfo.actionName | security_result.detection_fields.key/value |
ResourceId | target.labels.key/value |
UserKey | target.label.key/value |
AdditionalInfo.environmentName | target.labels.key/value |
AdminSubmissionTablAllow
下表列出了操作 AdminSubmissionTablAllow
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT . |
|
SubmissionContent | security_result.detection_fields.key/value |
SubmissionContentType | security_result.detection_fields.key/value |
ObjectId | target.labels.key/value |
Recipients | network.email.to |
SubmissionState | security_result.summary |
SubmissionId | security_result.detection_fields.key/value |
ExtendedProperties | principal.labels.key/value
If Else |
SubmissionConfidenceLevel | security_result.detection_fields.key/value |
SubmissionType | security_result.detection_fields.key/value |
MessageDate | about.labels.key/value |
P1SenderDomain | principal.administrative_domain |
UserKey | target.label.key/value |
P2SenderDomain | about.administrative_domain |
Subject | network.email.subject |
Version | metadata.product_version |
添加联系人。
下表列出了操作 Add contact.
和工作负载 AzureActiveDirectory
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_CREATION .
|
|
ObjectId | target.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
ActorContextId | principal.labels.key/value |
SupportTicketId | about.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
TargetContextId | target.labels.key/value |
UserKey | target.label.key/value |
Target | security_result.detection_fields.key/value |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
Actor | security_result.detection_fields.key/value |
Version | metadata.product_version |
ExtendedProperties | target.resource.attribute.labels.key/value
If Else |
ModifiedProperties | target.resource.name
If Else if Else |
WorkspacePortalUrlReceived
下表列出了操作 WorkspacePortalUrlReceived
和工作负载 MicrosoftDefenderForIdentity
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE . |
|
ResultDescription | security_result.detection_fields.key.value |
UserKey | target.labels.key/value |
PutConnectionPermission
下表列出了操作 PutConnectionPermission
和工作负载 PowerApps
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE .
|
|
ObjectId | target.labels.key/value |
Version | metadata.product_version |
AdditionalInfo.actionName | security_result.detection_fields.key/value |
ResourceId | target.resource.attribute.labels.key/value |
UserKey | target.label.key/value |
AdditionalInfo.environmentName | target.resource.attribute.labels.key/value |
AdditionalInfo.targetObjectId | target.resource.product_object_id |
SensitivityLabeledFileOpened
下表列出了操作 SensitivityLabeledFileOpened
和工作负载 PublicEndpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_OPEN .
|
|
PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
DeviceName | target.hostname |
CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
CurrentProtectionType.owner | security_result.about.email_addresses |
TargetLocation | target.labels.key/value |
UserKey | target.labels.key/value |
LabelId | target.labels.key/value |
CurrentProtectionType.templateId | security_result.detection_fields.key/value |
ProtectionEventType | security_result.detection_fields.key/value |
ContentType | target.labels.key/value |
Platform | target.platform |
UserSku | principal.labels.key/value |
PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
ObjectId | target.url |
PreviousProtectionType.owner | security_result.about.email_addresses |
Application | principal.application |
PreviousProtectionType.templateId | security_result.detection_fields.key/value |
验证
下表列出了操作 Validate
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
ResultCount | target.labels.key/value |
DataType | security_result.description |
UserKey | target.labels.key/value |
AadAppId | target.labels.key/value |
RelativeUrl | target.url |
SensitivityLabeledFileRenamed
下表列出了操作 SensitivityLabeledFileRenamed
和工作负载 PublicEndpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE .
|
|
PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
DeviceName | target.hostname |
CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
CurrentProtectionType.owner | security_result.about.email_addresses |
TargetLocation | target.labels.key/value |
UserKey | target.labels.key/value |
LabelId | target.labels.key/value |
CurrentProtectionType.templateId | security_result.detection_fields.key/value |
ProtectionEventType | security_result.detection_fields.key/value |
ContentType | target.labels.key/value |
Platform | target.platform |
UserSku | principal.labels.key/value |
PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
ObjectId | target.url |
PreviousProtectionType.owner | security_result.about.email_addresses |
Application | principal.application |
PreviousProtectionType.templateId | security_result.detection_fields.key/value |
PreviousTarget | src.url |
TaskModified
下表列出了操作 TaskModified
和工作负载 Planner
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN .
|
|
PlanId | target.resource.attribute.labels.key/value |
UserKey | target.labels.key/value |
ObjectId | target.resource.product_object_id |
DeleteTile
下表列出了操作 TaskModified
和工作负载 PowerBI
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_DELETION .
|
|
WorkspaceId | target.resource.product_object_id |
WorkSpaceName | target.resource.name |
UserKey | target.labels.key/value |
ActivityId | principal.labels.key/value |
RefreshEnforcementPolicy | security_result.detection_fields.key/value |
RequestId | about.labels.key/value |
IsSuccess | security_result.action |
UserAgent | network.http.user_agent |
ObjectId | target.resource.attribute.labels.key/value |
QuarantineReleaseMessage
下表列出了操作 QuarantineReleaseMessage
和工作负载 Quarantine
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
NetworkMessageId | security_result.detection_fields.key/value |
ReleaseTo | security_result.detection_fields.key/value |
RequestType | security_result.detection_fields.key/value |
RequestSource | security_result.detection_fields.key/value |
WorkspaceStatusReceived
下表列出了操作 WorkspaceStatusReceived
和工作负载 MicrosoftDefenderForIdentity
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE .
|
|
ResultDescription | security_result.detection_fields.key/value |
LinkedEntityUpdated
下表列出了操作 LinkedEntityUpdated
和工作负载 MicrosoftTodo
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN .
|
|
ActorAppId | target.labels.key/value |
ItemId | security_result.detection_fields.key/value and target.resource.product_object_id |
ItemType | target.resource.attribute.labels.key/value |
TargetActorId | target.labels.key/value |
TargetActorTenantId | target.labels.key/value |
ViewResponse
下表列出了操作 ViewResponse
和工作负载 MicrosoftForms
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT . |
|
FormsUserTypes | principal.labels.key/value |
SourceApp | principal.application |
FormName | target.resource.name |
FormId | target.resource.product_object_id |
PlanListRead
下表列出了操作 PlanListRead
和工作负载 Planner
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_READ .
|
|
PlanList | target.resource.product_object_id |
ObjectId | target.resource.attribute.labels.key/value |
O365SyncAdminUserPromotion
下表列出了操作 O365SyncAdminUserPromotion
和工作负载 Yammer
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE . |
|
ActorUserId | principal.user.email_addresses or principal.user.userid |
ActorYammerUserId | principal.labels.key/value |
ObjectId | target.labels.key/value |
YammerNetworkId | principal.labels.key/value |
FileCopiedToClipboard
下表列出了操作 FileCopiedToClipboard
和工作负载 Endpoint
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED . |
|
Application | principal.application |
DeviceName | target.hostname |
DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
EnforcementMode | target.labels.key/value |
EvidenceFile.FullUrl | target.labels.key/value |
EvidenceFile.StorageName | target.labels.key/value |
FileExtension | target.file.mime_type |
FileType | target.resource.attribute.labels.key/value |
Hidden | security_result.detection_fields.key/value |
JitTriggered | security_result.detection_fields.key/value |
MDATPDeviceId | security_result.detection_fields.key/value |
ObjectId | target.file.full_path |
Platform | target.labels.key/value |
PolicyMatchInfo | target.resource.product_object_id
|
SensitiveInfoTypeData | security_result.detection_fields.key/value
|
Scope | target.labels.key/value |
RMSEncrypted | security_result.detection_fields.key/value |
SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
SourceLocationType | principal.labels.key/value |
TargetDomain | target.domain.name |
TargetFilePath | target.labels.key/value |
OriginatingDomain | principal.domain.name |
FileTranscriptContentAccessed
下表列出了操作 FileTranscriptContentAccessed
和工作负载 OneDrive
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_READ . |
|
AlternateStreamId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application and target.resource.name |
ApplicationId | target.resource.product_object_id |
AuthenticationType | principal.labels.key/value |
AppAccessContext.UniqueTokenId | target.labels.key/value |
BrowserName | principal.labels.key/value |
BrowserVersion | principal.labels.key/value |
DeviceDisplayName | principal.labels.key/value |
IsManagedDevice | principal.labels.key/value |
EventSource | principal.application |
HighPriorityMediaProcessing | about.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
ListBaseType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ListServerTemplate | security_result.detection_fields.key/value |
ObjectId | target.url |
Platform | target.labels.key/value |
Site | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is mapped to SourceRelativeUrl /SourceFileName . |
SourceRelativeUrl | target.file.full_path is mapped to SourceRelativeUrl /SourceFileName . |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
设置 DlpCompliancePolicy
下表列出了操作 Set-DlpCompliancePolicy
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT .
|
|
ClientApplication | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
ObjectId | target.resource.product_object_id |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
StartTime | target.resource.attribute.creation_time |
UserKey | target.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |
移除了-DlpCompliancePolicy
下表列出了操作 Remove-DlpCompliancePolicy
和工作负载 SecurityComplianceCenter
的日志字段和对应的 UDM 映射:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION .
|
|
ClientApplication | principal.labels.key/value |
CmdletVersion | metadata.product_version |
EffectiveOrganization | target.administrative_domain |
ObjectId | target.resource.product_object_id |
Parameters | target.process.command_line |
SecurityComplianceCenterEventType | about.labels.key/value |
StartTime | target.resource.attribute.creation_time |
UserKey | target.labels.key/value |
UserServicePlan | principal.labels.key/value |
Version | metadata.product_version |