Microsoft 365-Protokolle erfassen

In diesem Dokument wird beschrieben, wie Sie Microsoft 365-Logs erfassen, indem Sie einen Chronicle-Feed einrichten und Logsfelder den Feldern der Chronicle Unified Data Model (UDM) zuordnen. In diesem Dokument werden auch die unterstützten geprüften Aktivitäten und die unterstützte Microsoft 365-Version aufgeführt.

Eine Übersicht über die Datenaufnahme in Chronicle finden Sie unter Datenaufnahme in Chronicle.

Übersicht

Das folgende Diagramm der Bereitstellungsarchitektur zeigt, wie der Microsoft 365- und Chronicle-Feed zum Senden von Logs an Chronicle konfiguriert ist. Jede Kundenbereitstellung kann von dieser Darstellung abweichen und komplexer sein.

Deployment-Architektur

Das Architekturdiagramm enthält die folgenden Komponenten:

Microsoft 365 Der Microsoft 365-Dienst, von dem Sie Logs erfassen.
Chronicle-Feed. Der Chronicle-Feed, der Logs aus Microsoft 365 abruft und in Chronicle schreibt.
Chronicle Chronicle speichert und analysiert die Logs aus Microsoft 365.

Ein Aufnahmelabel identifiziert den Parser, der die Protokollrohdaten in ein strukturiertes UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel OFFICE_365.

Hinweis

Verwenden Sie Microsoft 365 Version 2204 Build 16.0.15128.20248 oder höher und prüfen Sie, ob Sie ein Microsoft 365 Enterprise E5-Abo mit Microsoft Security and Compliance Center haben.
Erteilen Sie dem Nutzer die erforderlichen Berechtigungen und Berechtigungen zum Generieren und Exportieren unterschiedlicher Ereignisse für alle unterstützten Microsoft-Produkte. Eine Beispielberechtigung finden Sie unter Berechtigungen für den Zugriff auf Management-APIs.
Konfigurieren Sie Microsoft 365 für das Suchen und Exportieren von Logs. Microsoft Azure Active Directory (Azure AD) ist der Verzeichnisdienst für Microsoft 365. Das Erstellen der Logs kann bis zu 24 Stunden dauern. Weitere Informationen finden Sie im Hilfeartikel Audit-Log für Administratoren.
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.

Prüfen Sie die Aktivitäten und Produkte, die der Chronicle-Parser unterstützt. In der folgenden Tabelle sind die Aktivitäten und Produkte aufgeführt, die der Chronicle-Parser unterstützt:

Aktivitäten	Produkte
Datei- und Seitenaktivitäten	SharePoint Online und OneDrive for Business
Ordneraktivitäten	SharePoint Online und OneDrive for Business
Aktivitäten für SharePoint-Listen	SharePoint Online
Aktivitäten zu Freigabe und Zugriffsanfragen	SharePoint Online und OneDrive for Business
Synchronisierungsaktivitäten	SharePoint Online und OneDrive for Business
Website-Berechtigungsaktivitäten	SharePoint Online
Website-Verwaltungsaktivitäten	SharePoint Online
Aktivitäten in Exchange-Postfach	Microsoft 365-Gruppenpostfächer
Aktivitäten der Nutzerverwaltung	Microsoft 365 Admin Center
Verwaltungsaktivitäten für Azure AD-Gruppen	Microsoft 365 Admin Center
Anwendungsverwaltungsaktivitäten	Wenn ein Administrator eine in Azure AD registrierte Anwendung hinzufügt oder ändert
Rollenverwaltungsaktivitäten	Microsoft 365 Admin Center
Verzeichnisverwaltungsaktivitäten	Microsoft 365 Admin Center
Power-BI-Aktivitäten	Logo: Power BI
Microsoft Teams-Aktivitäten	Microsoft Teams
Aktivitäten von Microsoft Teams	Verschiebt die App in Microsoft Teams
Microsoft Teams – Aktivitäten im Gesundheitswesen	Patientenanwendung in Microsoft Teams
Aktivitäten von Microsoft Teams	Verschiebt die App in Microsoft Teams
Yammer-Aktivitäten	Yammer
Aktivitäten in Microsoft Power Automation	Power Automate (früher Microsoft Flow)
Microsoft PowerApps-Aktivitäten	Power-Apps
Microsoft Stream-Aktivitäten	Microsoft Stream
Quarantäneaktivitäten	E-Mails unter Office 365 unter Quarantäne stellen
Microsoft Forms: Aktivitäten	Microsoft Teams
Aktivitäten für empfindliche Labels	Aktivitäten für SharePoint Online und Teams mit Labels versehen
Aktivitäten in Bezug auf Aufbewahrungsrichtlinien und -labels	–
E-Mail-Aktivitäten für die Auswahl	E-Mail-Auswahl
MyAnalytics-Aktivitäten	MyAnalytics
Aktivitäten zu Informationsbarrieren	–
Überprüfung von Aktivitäten	–
Compliance-Aktivitäten bei der Kommunikation	–
Nicht definierte Aktivität	–

Feed in Chronicle für die Aufnahme von Microsoft 365-Logs konfigurieren

Rufen Sie die Chronicle-Einstellungen auf und klicken Sie auf Feeds.
Klicken Sie auf Neu hinzufügen.
Wählen Sie als Quelltyp die Option Drittanbieter-API aus.
Wählen Sie als Logtyp die Option Office 365 aus.
Klicken Sie auf Nächster Schritt.
Geben Sie basierend auf der Microsoft 365-Konfiguration die Details für die OAuth-Client-ID, den OAuth-Clientschlüssel und die Mandanten-ID an.
Wählen Sie den Inhaltstyp aus, für den Sie diesen Feed erstellen. Du musst für jeden erforderlichen Inhaltstyp einen separaten Feed erstellen.
Klicken Sie auf Weiter und dann auf Senden.

Weitere Informationen zu Chronicle-Feeds finden Sie in der Dokumentation zu Chronicle-Feeds.

Referenz zur Feldzuordnung

In diesem Abschnitt wird erläutert, wie der Chronicle-Parser Microsoft 365-Protokollfelder den Feldern der Chronicle Unified Data Model (UDM) für die unterstützten Vorgänge und Arbeitslasten zuordnet.

Allgemeine Felder

In der folgenden Tabelle sind die gängigen Logfelder und die entsprechenden UDM-Felder aufgeführt.

Common log field	UDM field
ID	metadata.product_log_id
RecordType	security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc
CreationTime	metadata.event_timestamp
Operation	metadata.product_event_type
OrganizationId	principal.resource.product_object_id
UserType	principal.user.attribute.roles.name
UserId	principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.
ClientIP	principal.ip and principal.port
Workload	target.application
AppAccessContext	network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value

Referenzinformationen zu UDM-Zuordnungen für unterstützte Vorgänge finden Sie in den folgenden Abschnitten:

Dateizugriff

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Fileaccessed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Dateizugriff (erweitert)

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileAccessedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei gelöscht

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei kopiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCopy“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei geändert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileModified“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

Datei heruntergeladen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „File Heruntergeladen“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
UserSessionId	network.http.session_id
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ZipFileName	principal.resource.parent

Geänderte Datei geändert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileModifiedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

Datei verschoben

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileMoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Dateivorschau

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FilePreviewed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei umbenannt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileUmbenennend“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

Datei hochgeladen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileUploaded“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ImplicitShare	target.resource.attribute.labels.key/value

FileVersionsAllDeleted

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
WebId	about.labels.key/value

Eingecheckt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckedIn“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	workload map with intermediary.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei-Check-out

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckedOut“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	Uniquely Identify resource in site like File or Folder
ItemType	This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	Information about the user's browser. This information is provided by the browser.
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ComplianceEinstellung geändert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ComplianceSettingChanged“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
SharingType	target.labels.key/value

LockRecord

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „LockRecord“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Entsperrung

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnlockRecord“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei gelöscht – erste Phase des Recyclings

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeletedFirstStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei gelöschter zweiter Anzeigebereich Recycling

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeletedSecondStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datensatz löschen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RecordDelete“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DocumentSensitivityMismatchDetected“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCheckOutVerworfen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckOutVerworfen“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DateiversionenAllMinds Recycled

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllMinorsRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DateiversionAllRecycled

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Dateiversion recycelt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Datei wiederhergestellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileRestored“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileMalwareDetected

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileMalwareDetected“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
VirusInfo	security_result.threat_name
VirusVendor	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Suchanfrage ausgeführt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchQueryPerformed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventData	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Seitenaufruf

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PageViewed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Vorabruf von Seiten

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PagePrefetched“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Clientansicht Signaled

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ClientViewSignaled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

Seitenaufruf (erweitert)

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PageViewedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

Ordner erstellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner gelöscht

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner verschoben

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderMoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} SourceRelativeUrl field not getting in log
DestinationRelativeUrl	DestinationRelativeUrl field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	DestinationFileName field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner umbenannt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderUmbenennend“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner geändert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderModified“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner kopiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderCopy“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path
SourceRelativeUrl	src.file.full_path
DestinationRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner wiederhergestellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderRestored“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

OrdnerDeleteFirstStageRecycleBin

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeletedFirstStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Ordner Gelöscht

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeletedSecondStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncHeruntergeladen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncDownloadsFull“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncHeruntergeladen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncDownloadsPartial“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedFull

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncUploadedFull“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedPartial

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncUploadedPartial“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ManagedSyncClientAllowed

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ManagedSyncClientAllowed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_WRITTEN
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnmanagedSyncClientBlocked“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

Hinzugefügte Gruppe

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddedToGroup“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.group.group_display_name
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Gruppe hinzugefügt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupAdded“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Gruppe entfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupRemoved“ und „SharePoint“ der Arbeitslast aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebRequestAccessModified

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WebRequestAccessModified“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebMembersCanShareModified

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WebMembersCanShareModified“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
version	metadata.product_version
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Berechtigungsstufe geändert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelModified“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name
version	metadata.product_version
WebID	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebsitesammlungAdministrator hinzugefügt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionAdminAdded“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebsitesammlungVerwaltung entfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionAdminRemoved“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Berechtigungslevel entfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelRemoved“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Aus Gruppe entfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedFromGroup“ und die Arbeitslast „SharePoint“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.group.group_display_name
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Gruppe aktualisiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupUpdated“ und „SharePoint“ der Arbeitslast aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.referral_url
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

Projekt-Check-out

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ProjectCheckedOut“ und die Arbeitslast „Projekt“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

Projektzugriff

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ProjectAccessed“ und die Arbeitslast „Project“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

Freigabeübernahme defekt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInheritanceBroken“ und „SharePoint“ aufgelistet:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application

Hinzugefügt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddedToSecureLink“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId	target.labels.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ApplicationDisplayName	target.application

Unternehmensverknüpfung erstellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
ApplicationDisplayName	target.application

Verwendetes Unternehmen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SecureLinkCreated

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value

Freigabeeinladung erstellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLink Gelöscht

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application

Aus SecureLink entfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedFromSecureLink“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

Freigabeeinladung widerrufen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingEinladung widerrufen“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkAktualisiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkUsed

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

Freigabe widerrufen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingWiderrufed“ und „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

Freigabesatz

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingSet“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Berechtigungsstufe hinzugefügt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelAdded“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name

Freigabeeinladung angenommen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationAccept“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.name Added to Group is mapped to target.resource.name

Freigabeeinladung blockiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationblock“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	security_result.summary Reason is mapped to security_result.summary

Zugriffsanfrage erstellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value

Anonymer LinkErstellt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value

Zugriffsanfrage aktualisiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
ModifiedProperties	target.labels.key/value

FirmaLinkEntfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkRemoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value

Zugriffsanforderung genehmigt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestGenehmigt“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
EventData	target.resource.name Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } }
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

Anonymer Linkentfernt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkRemoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value
SourceFileExtension	target.file.mime_type
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
MachineId	target.asset.product_object_id

Anonymer LinkAktualisiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkUpdated“ und „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

Freigabeeinladung aktualisiert

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ModifiedProperties	target.labels.key/value
	event_type is mapped to USER_RESOURCE_ACCESS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

Anonymer LinkVerwendet

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gruppe hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Mitglied zur Gruppe hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied zu Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else map about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Nutzer hinzugefügt

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzer hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

Nutzerlizenz ändern.

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerlizenz ändern“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Nutzerpasswort ändern

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerpasswort ändern“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gruppe löschen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe löschen“ und „AzureActiveDirectory“ aufgelistet:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Mitglied aus der Gruppe entfernen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied aus Gruppe entfernen“ und Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION if status is Success then action ALLOW security_result.summary User deleted successfully
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Nutzer löschen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzer löschen“ und „AzureActiveDirectory“ aufgelistet:

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success Action is set to ALLOW security_result.summary is User updated successfully ResultStatus is Failure Action is set to BLOCK security_result.summary is User update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Nutzer aktualisieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzer aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gruppe aktualisieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload}
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description

Nutzeranmeldung

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserLoggedIn“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN security_result.Action is set to BLOCK security_result.summary is User login failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

Nutzeranmeldung fehlgeschlagen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserLoginFailed“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

StsRefreshTokenValidFrom Timestamp aktualisieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StsRefreshTokenValidFrom Timestamp“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gerät aktualisieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Föderationseinstellungen für Domain festlegen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Föderationseinstellungen für Domain festlegen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

Domain bestätigen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Domain bestätigen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Unternehmensinformationen festlegen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Unternehmensinformationen festlegen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Nutzerpasswort zurücksetzen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerpasswort zurücksetzen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.description security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Konto deaktivieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Konto deaktivieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Anwendungspasswort für Nutzer löschen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „App-Passwort für Nutzer löschen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gerät löschen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät löschen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Registrierte Nutzer zum Gerät hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Registrierte Nutzer zum Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Registrierten Inhaber zum Gerät hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Registrierte Inhaber zu Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Inhaber zu Gruppe hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Inhaber zu Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

OAuth2PermissionGrant hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OAuth2PermissionGrant“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Gerät hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Dem Nutzer die Zuweisung einer App-Rollenzuweisung hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „App-Rollenzuweisung für Nutzer hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSION Workload is mapped to intermediary.application
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.application network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.user.userid or target.user.email_addresses If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Einwilligung zur Anwendung

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Einwilligen zur Anwendung“ und Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Hauptkonto aktualisieren

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Service Principal aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Hauptkonto für Dienst hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Diensthauptkonto hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Hauptkonto entfernen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Diensthauptkonto entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

Mitglied zur Rolle hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied zu Rolle hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Added a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Added a user to an admin role failed ObjectId is mapped to target.url
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Mitglied aus Rolle entfernen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied aus Rolle entfernen“ und Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
	event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	target.labels.key/value
Version	metadata.product_version

Label hinzufügen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Label hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is set to target.resource.product_object_id
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	target.labels.key/value
Version	metadata.product_version

Unternehmen erstellen

In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Unternehmen erstellen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION ObjectId is set to target.resource.product_object_id
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value