Microsoft 365-Protokolle erfassen
In diesem Dokument wird beschrieben, wie Sie Microsoft 365-Logs erfassen, indem Sie einen Chronicle-Feed einrichten, und wie Logfelder den Feldern von Chronicle Unified Data Model (UDM) zugeordnet werden. In diesem Dokument werden auch die unterstützten geprüften Aktivitäten und die unterstützte Microsoft 365-Version aufgeführt.
Einen Überblick über die Datenaufnahme in Chronicle finden Sie unter Datenaufnahme in Chronicle.
Überblick
Das folgende Diagramm der Bereitstellungsarchitektur zeigt, wie Microsoft 365 und der Chronicle-Feed so konfiguriert werden, dass Logs an Chronicle gesendet werden. Jede Kundenbereitstellung kann sich von dieser Darstellung unterscheiden und komplexer sein.
Das Architekturdiagramm zeigt die folgenden Komponenten:
Microsoft 365 Der Microsoft 365-Dienst, von dem Sie Protokolle erfassen.
Chronicle-Feed: Der Chronicle-Feed, der Protokolle von Microsoft 365 abruft und in Chronicle schreibt.
Chronicle: Chronicle speichert und analysiert die Logs von Microsoft 365.
Ein Aufnahmelabel identifiziert den Parser, der die Log-Rohdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument gelten für den Parser mit dem Aufnahmelabel OFFICE_365.
Hinweise
Verwenden Sie Microsoft 365 Version 2204 Build 16.0.15128.20248 oder höher und prüfen Sie, ob Sie ein Microsoft 365 Enterprise E5-Abo mit dem Feature „Microsoft Security and Compliance Center“ haben.
Gewähren Sie dem Nutzer die erforderlichen Berechtigungen und Berechtigungen, um verschiedene Ereignisse für alle unterstützten Microsoft-Produkte zu generieren und zu exportieren. Ein Beispiel für eine Berechtigung finden Sie unter Berechtigungen für den Zugriff auf Management-APIs.
Microsoft 365 für die Suche und den Export von Protokollen konfigurieren. Microsoft Azure Active Directory (Azure AD) ist der Verzeichnisdienst für Microsoft 365. Das Generieren der Logs kann bis zu 24 Stunden dauern. Weitere Informationen finden Sie unter Audit-Log durchsuchen.
Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Aktivitäten und Produkte prüfen, die vom Chronicle-Parser unterstützt werden In der folgenden Tabelle sind die Aktivitäten und Produkte aufgeführt, die vom Chronicle-Parser unterstützt werden:
Aktivitäten Produkte Datei- und Seitenaktivitäten SharePoint Online und OneDrive for Business Ordneraktivitäten SharePoint Online und OneDrive for Business Aktivitäten in der SharePoint-Liste SharePoint Online Anfrageaktivitäten freigeben und darauf zugreifen SharePoint Online und OneDrive for Business Synchronisierungsaktivitäten SharePoint Online und OneDrive for Business Website-Berechtigungsaktivitäten SharePoint Online Website-Verwaltungsaktivitäten SharePoint Online Exchange-Postfachaktivitäten Microsoft 365-Gruppenpostfächer Aktivitäten für die Nutzerverwaltung Microsoft 365 Admin Center Verwaltungsaktivitäten von Azure AD-Gruppen Microsoft 365 Admin Center Aktivitäten zur Anwendungsverwaltung Wenn ein Administrator eine in Azure AD registrierte Anwendung hinzufügt oder ändert Aktivitäten zur Rollenverwaltung Microsoft 365 Admin Center Verzeichnisverwaltungsaktivitäten Microsoft 365 Admin Center Power BI-Aktivitäten Logo: Power BI Microsoft Teams-Aktivitäten Microsoft Teams Microsoft Teams-Schichtaktivitäten Shifts App in Microsoft Teams Healthcare-Aktivitäten in Microsoft Teams Patientenanwendung in Microsoft Teams Microsoft Teams-Schichtaktivitäten Shifts App in Microsoft Teams Jammer-Aktivitäten Yammer Microsoft Power Automate-Aktivitäten Power Automate (früher Microsoft Flow) Microsoft PowerApps-Aktivitäten Power-Apps Microsoft Stream-Aktivitäten Microsoft Stream Aktivitäten unter Quarantäne stellen E-Mails in Office 365 unter Quarantäne stellen Aktivitäten in Microsoft Formulare Microsoft Teams Aktivitäten für Empfindlichkeitslabels Labeling-Aktivitäten für SharePoint Online und Teams Aufbewahrungsrichtlinien und Aktivitäten für Aufbewahrungslabels – E-Mail-Aktivitäten zum Briefing Briefing-E-Mail MyAnalytics-Aktivitäten MyAnalytics Aktivitäten im Zusammenhang mit Informationsbarrieren – Aktivitäten zur Überprüfung der Disposition – Compliance-Aktivitäten für die Kommunikation – Nicht definierte Aktivität –
Feed in Chronicle konfigurieren, um Microsoft 365-Logs aufzunehmen
- Rufen Sie die Chronicle-Einstellungen auf und klicken Sie auf Feeds.
- Klicken Sie auf Add new (Neuen Eintrag hinzufügen).
- Wählen Sie als Quelltyp die Option Drittanbieter-API aus.
- Wählen Sie Office 365 als Log Type (Logtyp) aus.
- Klicken Sie auf Next (Weiter).
- Je nach Microsoft 365-Konfiguration geben Sie die OAuth-Client-ID, den OAuth-Clientschlüssel und die Mandanten-ID an.
- Wählen Sie den Inhaltstyp aus, für den Sie diesen Feed erstellen. Du musst für jeden erforderlichen Inhaltstyp einen separaten Feed erstellen.
- Klicken Sie auf Weiter und dann auf Senden.
Weitere Informationen zu Chronicle-Feeds finden Sie in der Dokumentation zu Chronicle-Feeds.
Referenz zur Feldzuordnung
In diesem Abschnitt wird erläutert, wie der Chronicle-Parser Microsoft 365-Logfelder für unterstützte Vorgänge und Arbeitslasten den Feldern des Chronicle Unified Data Model (UDM) zuordnet.
Allgemeine Felder
In der folgenden Tabelle sind die allgemeinen Logfelder und die entsprechenden UDM-Felder aufgeführt.
| Common log field | UDM field |
|---|---|
| ID | metadata.product_log_id |
| RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
| CreationTime | metadata.event_timestamp |
| Operation | metadata.product_event_type |
| OrganizationId | principal.resource.product_object_id |
| UserType | principal.user.attribute.roles.name |
| UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
| ClientIP | principal.ip and principal.port |
| Workload | target.application |
| AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
Referenzinformationen zu UDM-Zuordnungen für unterstützte Vorgänge finden Sie in den folgenden Abschnitten:
FileAccessed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Fileaccessed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileAccessedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCopied
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCopied“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileModified“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileDownloaded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDownloaded“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| UserSessionId | network.http.session_id |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ZipFileName | principal.resource.parent |
FileModifiedExtended
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileModifiedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileMoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileMoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FilePreviewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FilePreviewed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileRenamed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileUmbenennend“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileUploaded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileUploaded“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionsAllDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
FileCheckedIn
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckedIn“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | workload map with intermediary.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckedOut“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | Uniquely Identify resource in site like File or Folder |
| ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | Information about the user's browser. This information is provided by the browser. |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ComplianceSettingChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ComplianceSettingChanged“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| SharingType | target.labels.key/value |
LockRecord
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „LockRecord“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
UnlockRecord
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnlockRecord“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedFirstStageRecycleBin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeletedFirstStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedSecondStageRecycleBin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDeletedSecondStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
RecordDelete
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RecordDelete“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DocumentSensitivityMismatchDetected“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DocumentSensitivityMismatchDetected“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckOutDiscarded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCheckOutVerworfen“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMinorsRecycled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllMinorsRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionsAllRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionRecycled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVersionRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileRestored
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileRestored“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareDetected
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileMalwareDetected“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| VirusInfo | security_result.threat_name |
| VirusVendor | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
SearchQueryPerformed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchQueryPerformed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventData | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
PageViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PageViewed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
PagePrefetched
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PagePrefetched“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSignaled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ClientViewSignaled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
PageViewedExtended
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PageViewedExtended“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
FolderCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderMoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderMoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
| DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderRenamed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderUmbenennend“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderModified“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderCopied
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderCopied“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path |
| SourceRelativeUrl | src.file.full_path |
| DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderRestored
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderRestored“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedFirstStageRecycleBin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeletedFirstStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedSecondStageRecycleBin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderDeletedSecondStageRecycleBin“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedFull
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncDownloadedFull“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedPartial
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncDownloadedPartial“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedFull
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncUploadedFull“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedPartial
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileSyncUploadedPartial“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ManagedSyncClientAllowed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ManagedSyncClientAllowed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_WRITTEN | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
UnmanagedSyncClientBlocked
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnmanagedSyncClientBlocking“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
AddedToGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddedToGroup“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.group.group_display_name |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupAdded“ und die Arbeitslast „SharePoint“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupRemoved“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebRequestAccessModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WebRequestAccessModified“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebMembersCanShareModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WebMembersCanShareModified“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| version | metadata.product_version |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
PermissionLevelModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelModified“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
| version | metadata.product_version |
| WebID | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionAdminAdded“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionAdminRemoved“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| AssertingApplicationId | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
PermissionLevelRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelRemoved“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
RemovedFromGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedFromGroup“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.group.group_display_name |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.referral_url |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
ProjectCheckedOut
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ProjectCheckedOut“ und die Arbeitslast „Project“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
ProjectAccessed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ProjectAccessed“ und die Arbeitslast „Project“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
SharingInheritanceBroken
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInheritanceBroken“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
AddedToSecureLink
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddedToSecureLink“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| UniqueSharingId | target.labels.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ApplicationDisplayName | target.application |
CompanyLinkCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| ApplicationDisplayName | target.application |
CompanyLinkUsed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SecureLinkCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
SharingInvitationCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkDeleted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
RemovedFromSecureLink
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedFromSecureLink“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
SharingInvitationRevoked
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationDeletion“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUsed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SecureLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SharingRevoked
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingCanceld“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SharingSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingSet“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
PermissionLevelAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PermissionLevelAdded“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
SharingInvitationAccepted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationAccepted“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Added to Group is mapped to target.resource.name |
SharingInvitationBlocked
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationBlocking“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | security_result.summary
Reason is mapped to security_result.summary |
AccessRequestCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
AnonymousLinkCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkCreated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
AccessRequestUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| ModifiedProperties | target.labels.key/value |
CompanyLinkRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CompanyLinkRemoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
AccessRequestApproved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessRequestApproved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
AnonymousLinkRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkRemoved“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| MachineId | target.asset.product_object_id |
AnonymousLinkUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SharingInvitationUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingInvitationUpdated“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_ACCESS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
AnonymousLinkUsed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnonymousLinkUsed“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Gruppe hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Mitglied zur Gruppe hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied zu Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_CREATION
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if
else map |
| ModifiedProperties | security_result.summary
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
Nutzer hinzugefügt
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Add user und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
Nutzerlizenz ändern.
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerlizenz ändern“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Nutzerpasswort ändern
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerpasswort ändern“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Gruppe löschen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe löschen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Mitglied aus der Gruppe entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied aus Gruppe entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Nutzer löschen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Delete user und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
Nutzer aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Update user und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
if |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties
|
security_result.detection_fields.key/value
If
If
If
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.group.group_display_name
If
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
Gruppe aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gruppe aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description |
UserLoggedIn
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserLoggedIn“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
UserLoginFailed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserLoginFailed“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Zeitstempel für StsRefreshTokenValidFrom aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update StsRefreshTokenValidFrom Timestamp“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Gerät aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Föderationseinstellungen für Domain festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Föderationseinstellungen für Domain festlegen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Domain bestätigen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Domain bestätigen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Unternehmensinformationen festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set Company Information“ (Unternehmensinformationen festlegen) und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Nutzerpasswort zurücksetzen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nutzerpasswort zurücksetzen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Konto deaktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Konto deaktivieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Anwendungspasswort für Nutzer löschen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Delete application password for user“ (Anwendungspasswort für Nutzer löschen) und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Gerät löschen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät löschen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Registrierte Nutzer zu Gerät hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Registrierte Nutzer zu Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Registrierten Eigentümer zu Gerät hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Registrierten Inhaber zu Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Inhaber zu Gruppe hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Inhaber zu Gruppe hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
OAuth2PermissionGrant hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add OAuth2PermissionGrant“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Gerät hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Zuweisung von App-Rollen für Nutzer hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add app roles authorization to user“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Zustimmung zur Bewerbung
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Einwilligung in die Anwendung“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Diensthauptkonto aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Diensthauptkonto aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Diensthauptkonto hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Diensthauptkonto hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Diensthauptkonto entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Diensthauptkonto entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Mitglied zu Rolle hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Add member to role und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | target.resource.product_object_id
if
If
if |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
Mitglied aus Rolle entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Mitglied aus Rolle entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Label hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Label hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is set to target.resource.product_object_id |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
Unternehmen erstellen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Unternehmen erstellen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
ObjectId is set to target.resource.product_object_id |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.labels.key/value |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
TeamsSessionStarted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamsSessionStarted“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ScheduleGroupAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupEdited
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ScheduleGroupEdited“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_DELETION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ScheduleGroupDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShiftAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftEdited
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShiftEdited“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShiftDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TimeOffAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffEdited
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TimeOffEdited“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TimeOffDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OpenShiftAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftEdited
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OpenShiftEdited“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OpenShiftDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleShared
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ScheduleShared“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ClockedIn
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ClockedIn“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
BreakStarted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „BreakStarted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
BreakEnded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „BreakEnded“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.labels.key/value |
RequestAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RequestAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.label.key/value |
RequestRespondedTo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RequestReplyedTo“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.label.key/value |
RequestCancelled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RequestCancelled“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleSettingChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ScheduleSettingChanged“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
TeamSettingChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamSettingChanged“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
AppInstalled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Appinstalled“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| AddOnName | target.resource.name |
| Version | metadata.product_version |
| AppDistributionMode | about.labels.key/value |
| AzureADAppId | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TargetUserId | target.user.product_object_id |
MemberRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MemberRemoved“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TabRemoved“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| AddOnName | target.resource.name |
| ChannelName | target.resource.attribute.labels.key/value |
| TeamName | target.group.group_display_name |
AppUninstalled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AppDisabled“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| AddOnName | target.resource.name |
| Version | metadata.product_version |
| AppDistributionMode | about.labels.key/value |
| AzureADAppId | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TargetUserId | target.user.product_object_id |
MemberAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MemberAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| CommunicationType | about.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TabAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| AddOnName | target.resource.name |
| AddOnUrl | target.url |
| ChannelName | target.labels.key/value |
| TeamName | target.group.group_display_name |
ClockedOut
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ClockedOut“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ScheduleId | target.resource.product_object_id |
TeamCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamCreated“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.resource.product_object_id |
| TeamName | target.resource.name |
| Version | metadata.product_version |
BotAddedToTeam
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „BotAddedToTeam“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnName | target.resource.name |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelAdded
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ChannelAdded“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorAdded
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ConnectorAdded“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelSettingChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ChannelSettingChanged“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TeamsTenantSettingChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamsTenantSettingChanged“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
MemberRoleChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MemberRoleChanged“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name DisplayName is mapped to about.user.user_display_name Role is mapped to about.user.attribute.roles.name UPN is mapped to about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
DeletedAllOrganizationApps
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeletedAllOrganizationApps“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ChannelDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TeamDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamDeleted“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.resource.product_object_id |
| TeamName | target.resource.name |
BotRemovedFromTeam
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „BotRemovedFromTeam“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorRemoved
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ConnectorRemoved“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorUpdated
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ConnectorUpdated“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TabUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TabUpdated“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.resource.name |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.resource.attribute.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| AADGroupId | target.labels.key/value |
| AddOnUrl | target.url |
Aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism
LogonType is 2 then mechanism is set to INTERACTIVE LogonType is 3 or 8 then mechanism is set to NETWORK LogonType is 4 then mechanism is set to BATCH LogonType is 5 then mechanism is set to SERVICE LogonType is 7 then mechanism is set to UNLOCK LogonType is 9 then mechanism is set to NEW_CREDENTIALS LogonType is 9 then mechanism is set to REMOTE_INTERACTIVE LogonType is 9 then mechanism is set to CACHED_INTERACTIVE else mechanism is set to MECHANISM_UNSPECIFIED |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Item | network.email.subject
target.resource.product_object_id target.resource.name target.file.size network.email.mail_id target.file.full_path Id is mapped to target.resource.product_object_id Subject is mapped to network.email.subject SizeInBytes is mapped to target.file.size Item.ParentFolder.Path is mapped to target.resource.name InternetMessageId is mapped to network.email.mail_id Attachments is mapped to target.file.full_path |
| ModifiedProperties | securiy_result.summary |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
FolderBind
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderBind“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientRequestId | principal.labels.key/value |
| Item | target.resource.product_object_id
target_resource_name network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
SendOnBehalf
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SendOnBehalf“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.email_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| SendOnBehalfOfUserSmtp | target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
SendAs
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SendAs“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SendAsUserMailboxGuid | about.labels.key/value |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| SendAsUserSmtp | target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
Senden
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Send“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id |
| SessionId | network.session_id |
| Version | metadata.product_version |
Neue Posteingangsregel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-InboxRule“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SessionId | network.session_id |
| Version | metadata.product_version |
| Parameters | security_result.rule_labels.key/value |
| AppId | target.labels.key/value |
Regel für den Posteingang festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-InboxRule“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
ObjectId is set to target.group.product_object_id target.resource.resource_type is set to SETTING |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | security_result.rule_labels.key/value |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
MoveToDeletedItems
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MoveToDeletedItems“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| DestFolder | target.resource.product_object_id
target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id Subject is mapped to network.email.subject ParentFolder.Path is mapped to about.file.full_path AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
| Folder | src.resource.product_object_id
src.resource.name |
| ClientRequestId | principal.labels.key/value |
| AppId | target.labels.key/value |
Verschieben
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Move“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| DestFolder | target.resource.product_object_id
target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
| Folder | src.resource.product_object_id
src.resource.name |
MailItemsAccessed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MailItemsAccessed“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| OperationProperties | security_result.detection_fields.key/value. |
| SessionId | network.session_id |
| Version | metadata.product_version |
| OperationCount | about.labels.key/value |
| AppId | target.labels.key/value |
| Folders | about.resource.name
about.resource.product_object_id network.email.mail_id Folders.Path is mapped to about.resource.name Folders.Id is mapped to about.resource.product_object_id Folders.0.FolderItems.0.InternetMessageId network_email_id |
MailboxLogin
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MailboxLogin“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
auth.Type is MACHINE |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SessionId | network.session_id |
| Version | metadata.product_version |
SoftDelete
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SoftDelete“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id AffectedItems.Attachments is mapped to about.file.full_path AffectedItems.Subject is mapped to network.email.subject AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
| Folder | target.resource.name
target.resource.product_object_id Folder.Path is mapped to target.resource.name Folder.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
HardDelete
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HardDelete“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
| Version | metadata.product_version |
| ClientAppId | target.labels.key/value |
| AppId | target.labels.key/value |
| Folder | target.resource.name
target.resource.product_object_id |
Erstellen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Create“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.resource.name
target.resource.product_object_id target.file.full_path network.email.subject network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name Item.Subject is mapped to network.email.subject Attachment may present or not in log so write grok for this. Item.Attachments is mapped to target.file.full_path |
| SessionId | network.session_id |
| Version | metadata.product_version |
RemoveFolderPermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemoveFolderPermissions“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.resource.attribute.permissions.name target.user.email_addresses or target.user.userid Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid Item.ParentFolder.Path is mapped to target.file.full_path User rights is mapped to target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
ModifyFolderPermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ModifyFolderPermissions“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
AddFolderPermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddFolderPermissions“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name Path is mapped to target.file.full_path Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid User Rights is mapped to target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
Entfernen-Postfachberechtigung
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-MailboxPermission“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
„Postfach-Berechtigung hinzufügen“
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-MailboxPermission“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AppId | target.resource.attribute.labels.key/value |
| Parameters | security_result.detection_fields.key/value |
| ObjectId | target.resource.attribute.labels.key/value |
UpdateInboxRules
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateInboxRules“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
| Item | target.resource.product_object_id
target.resource.name Item.ParentFolder.name is mapped to target.resource.name Item.ParentFolder.id is mapped to target.resource.product_object_id |
| OperationProperties | security_result.rule_id
security_result.rule_name security_result.detection_fields.key/value if Name is RuleId then Value is mapped to security_result.rule_id if Name is RuleName then Value is mapped to security_result.rule_name else security_result.detection_fields.key/value |
| ClientRequestId | principal.labels.key/value |
UpdateCalendarDelegation
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateCalendarDelegation“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is SERVICE_ACCOUNT |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
ApplyRecordLabel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ApplyRecordLabel“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
UpdateFolderPermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateFolderPermissions“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
Nutzer festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-User“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| Version | metadata.product_version |
ViewReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is mapped to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| ConsumptionMethod | target.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| DistributionMethod | about.labels.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.attribute.labels.key/value |
GenerateEmbedToken
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GenerateEmbedToken“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| ConsumptionMethod | target.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| DistributionMethod | about.labels.key/value |
| ReportId | target.resource.attribute.labels.key/value |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| EmbedTokenId | target.resource.product_object_id |
| RLSIdentities | about.user.email_addresses
about.user.attribute.roles.name RLSIdentities.UserName is mapped to about.user.email_addresses RLSIdentities.Roles is mapped to about.user.attribute.roles.name |
CreateDataset
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateDataset“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
GenerateCustomVisualAADAccessToken
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GenerateCustomVisualAADAccessToken“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| CustomVisualAccessTokenResourceId | target.resource.product_object_id |
| CustomVisualAccessTokenSiteUri | target.url |
DeleteOrganizationalGalleryItem
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteOrganizationalGalleryItem“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
DeleteAlmPipeline
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteAlmPipeline“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
AddDatasourceToGateway
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddDatasourceToGateway“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| GatewayId | target.resource.attribute.labels.key/value |
| GatewayType | target.labels.key/value |
| DatasourceId | target.resource.product_object_id |
| DatasourceType | target.resource.attribute.labels.key/value |
AssignWorkspaceToPipeline
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AssignWorkspaceToPipeline“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | principal.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | principal.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| DeploymentPipelineStageOrder | target.labels.key/value |
CancelDataflowRefresh
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CancelDataflowRefresh“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
ChangeCapacityState
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ChangeCapacityState“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CapacityName | target.resource.name |
| CapacityUsers | about.labels.key/value |
| CapacityState | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
ChangeGatewayAdministrators
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ChangeGatewayAdministrators“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.product_object_id |
| UserInformation | about.user.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
InsertOrganizationalGalleryItem
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „InsertOrganizationalGalleryItem“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateAlmPipeline
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateAlmPipeline“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dashboard created successfully else security_result.summary is Dashboard not created |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
CreateDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dataflow created successfully else security_result.summary is Dataflow not created |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DataflowType | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
CreateEmailSubscription
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateEmailSubscription“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
If IsSuccess is true then security_result.summary is EmailSubscription created successfully else security_result.summary is EmailSubscription not created ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| SubscriptionSchedule | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| SubscribeeInformation | network.email.to |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
CreateFolder
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateFolder“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| FolderDisplayName | target.resource.name |
| FolderObjectId | target.resource.attribute.labels.key/value |
CreateGateway
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateGateway“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| GatewayId | target.resource.product_object_id |
| GatewayType | target.labels.key/value |
CreateTemplateApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateTemplateApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
DeleteComment
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteComment“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value Name is mapped to target.resource.name ArtifactObjectId is set to target.resource.product_object_id AnnotatedItemType is mapped to target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
DeleteDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| DashboardName | target.resource.name |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| DistributionMethod | about.labels.key/value |
DeleteDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
DeleteDataset
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteDataset“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
DeleteEmailSubscription
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteEmailSubscription“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_DELETION
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
DeleteFolder
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteFolder“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
if isSuccess is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteGateway
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteGateway“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteGroup“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
DownloadReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DownloadReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
EditDataset
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „EditDataset“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
EditDatasetProperties
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „EditDatasetProperties“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetCertificationStage | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
EditReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „EditReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.attribute.labels.key/value |
| ReportType | target.resource.attribute.labels.key/value |
ExportDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ExportDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Dataflow Exported Successfully else security_result.summary is Dataflow Not Exported |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| DataflowName | target.rsource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
ExportReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ExportReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Report Exported Successfully else security_result.summary is Report Not Exported |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
InstallApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „InstallApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
InstallTemplateApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „InstallTemplateApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppFolderObjectId | about.labels.key/value |
| TemplateAppOwnerTenantObjectId | principal.user.product_object_id |
| TemplateAppVersion | metadata.product_version |
| TemplateAppObjectId | target.resource.product_object_id |
| TemplatePackageName | target.resource.name |
PostComment
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PostComment“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
PrintDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PrintDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
PrintReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PrintReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
UnassignWorkspaceFromPipeline
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnassignWorkspaceFromPipeline“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| DeploymentPipelineId | target.resource.attribute.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
RemoveDatasourceFromGateway
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemoveDatasourceFromGateway“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.attribute.label.key/value |
| DatasourceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RenameDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UmbenennenDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
RequestDataflowRefresh
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RequestDataflowRefresh“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowRefreshScheduleType | target.labels.key/value |
| DataflowType | target.resource.attribute.label.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RefreshDataset
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RefreshDataset“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RefreshType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
SensitivityLabelApplied
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SensitivityLabelApplied“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| SensitivityLabelId | target.resource.product_object_id |
| ActionSourceDetail | principal.labels.key/value |
| LabelEventType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActionSourceDetail | principal.labels.key/value |
| ArtifactType | about.labels.key/value |
SensitivityLabelRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SensitivityLabelRemoved“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OldSensitivityLabelId | target.resource.product_object_id |
| ActionSource | principal.labels.key is set to ActionSource
principal.labels.value is set to {Value} |
| LabelEventType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActionSourceDetail | principal.labels.key/value |
| ArtifactType | about.labels.key/value |
SetScheduledRefreshOnDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SetScheduledRefreshOnDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.label.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
SetScheduledRefresh
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SetScheduledRefresh“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.rsource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| Schedules | target.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
ShareDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShareDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| SharingAction | about.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
ShareReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShareReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| Datasets | about.resource.product_object_id
about.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| ArtifactId | target.resource.product_object_id |
| ArtifactName | target.resource.name |
| SharingAction | about.labels.key/value |
| ShareLinkId | about.labels.key/value |
OptInForProTrial
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OptInForProTrial“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UnpublishApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UnpublishApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.product_object_id |
| WorkSpaceName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateOrganizationalGalleryItem
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateOrganizationalGalleryItem“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
UpdateAlmPipelineAccess
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateAlmPipelineAccess“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| DeploymentPipelineDisplayName | target.resource.name |
| DeploymentPipelineAccesses | about.user.userid
about.user.attribute.permissions.name userid is mapped to about.user.userid Rolepermission is mapped to about.user.attribute.permissions.name |
UpdateInstalledTemplateAppParameters
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateinstalledTemplateAppParameters“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
| TemplatePackageName | target.resource.name |
| TemplateAppVersion | metadata.product_version |
| TemplateAppFolderObjectId | about.labels.key/value |
UpdatedAdminFeatureSwitch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdatedAdminFeatureSwitch“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| SwitchState | about.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateApp“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDatasetParameters
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateDatasetParameters“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
UpdateEmailSubscription
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateEmailSubscription“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.type is mapped to TASK |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| SubscriptionSchedule | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| SubscribeeInformation | network.email.to |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
UpdateFolder
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateFolder“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| FolderDisplayName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateFolderAccess
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateFolderAccess“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| FolderDisplayName | target.resource.name |
| FolderAccessRequests | about.user.userid
about.user.product_object_id about.user.attribute.permissions.type UserId is mapped to about.user.userid UserObjectId is set to about.user.product_object_id RolePermissions is mapped to about.user.attribute.permissions.type |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDatasourceCredentials
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateDatasourceCredentials“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.attribute.labels.key/value |
| DatasourceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateTemplateAppSettings
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateTemplateAppSettings“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| ActivityId | principal.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
UpdateTemplateAppTestPackagePermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateTemplateAppTestPackagePermissions“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
ViewDashboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewDashboard“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ConsumptionMethod | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
ViewDataflow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewDataflow“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
AddTile
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddTile“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| TileText | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RunEmailSubscription
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RunEmailSubscription“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.label.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.label.key/value |
| DashboardId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
CreateReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.label.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.label.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
GetSnapshots
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GetSnapshots“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
OptInForPPUTrial
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OptInForPPUTrial“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
E-Mail-Nutzer festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-MailUser“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
E-Mail-Kontakt festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-MailContact“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
Postfach einrichten
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-Mailbox“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
Object is mapped to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Verteilergruppe festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-DistributionGroup“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is Group members definition ResultStatus is True Action is set to ALLOW else Action is set to BLOCK |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Kontakt festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-Contact“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
Set-CASPostfach
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CASMailbox“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| ModifiedObjectResolvedName | about.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Kalenderverarbeitung festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CalendarProcessing“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.user_display_name
If Name is ResourceDelegates then Value is mapped to target.user.user_display_name |
| SessionId | network.session_id |
| Version | metadata.product_version |
Set-AdminAuditLogConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-AdminAuditLogConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. ObjectId is mapped to target.url target.resource.resource_type is set to SETTING |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| ModifiedObjectResolvedName | about.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
UnifiedGroup entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-UnifiedGroup“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| Version | metadata.product_version |
Entfernen-Migrationsnutzer
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-MigrationUser“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Update-eDiscoveryCaseAdmin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update-eDiscoveryCaseAdmin“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Verteilergruppenmitglied entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-DistributionGroupMember“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
ViewedSearchExported
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewedSearchExported“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
AddWorkingSetQueryToWorkingSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddWorkingSetQueryToWorkingSet“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AddQueryToWorkingSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AddQueryToWorkingSet“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
RunAlgo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RunAlgo“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AnnotateDocument
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnnotateDocument“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
BurnJob
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „BurnJob“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateWorkingSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateWorkingSet“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateWorkingsetSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateWorkingsetSearch“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateTag“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DeleteWorkingsetSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteWorkingsetSearch“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DeleteTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteTag“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DownloadDocument
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DownloadDocument“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateTag“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
ExportJob
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ExportJob“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateCaseSettings
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateCaseSettings“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateWorkingsetSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateWorkingsetSearch“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
TagFiles
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TagFiles“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
ViewDocument
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewDocument“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
SearchViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchViewed“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
If Name is SearchIds then Value is mapped to target.resource.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseMemberAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseMemberAdded“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseAdminUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseAdminUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | about.user.email_address
about.user.product_object_id If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseMemberUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseMemberUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resrource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchPermissionUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchPermissionUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HoldUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseAdminRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseAdminRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
target.user.email_address target.user.userid If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} target_user is mapped to target.user.email_addresses or target.user.userid |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchPermissionRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchPermissionRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HoldRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HoldCreated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchCreated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_detail |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
CaseAdminAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseAdminAdded“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.prdouct_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchStarted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchStarted“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchReport“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchStopped
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchStopped“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
CaseViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseViewed“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_detail |
| ExtendedProperties | target.resource.product_object_id
about.user.email_addresses about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
SearchExportDownloaded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchExportDownloaded“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
CaseMemberRemoved
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseMemberRemoved“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
| Version | metadata.product_version |
CaseAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CaseAdded“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchPermissionCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchPermissionCreated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
NetworkConfigurationUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NetworkConfigurationUpdated“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
ProcessProfileFields
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ProcessProfileFields“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
SupervisorAdminToggled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SupervisorAdminToggled“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
NetworkSecurityConfigurationUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NetworkSecurityConfigurationUpdated“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCreated“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE {
security_result.action is ALLOW} else {security_result.action is BLOCK} |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
GroupCreation
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupCreation“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
MessageDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageDeleted“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
GroupDeletion
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupDeletion“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
DataExport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DataExport“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileVisited
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileVisited“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_READ
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
StreamInvokeVideoView
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoView“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoShare
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoShare“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoLike
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoLike“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoUnLike
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoUnLike“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoUpload
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoUpload“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoDownload
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoDownload“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoSetLink
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoSetLink“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamCreateGroup“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditGroup“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamDeleteGroup“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditGroupMemberships
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditGroupMemberships“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateChannel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamCreateChannel“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditChannel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditChannel“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteChannel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamDeleteChannel“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeChannelSetThumbnail
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeChannelSetThumbnail“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditVideoPermissions
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditVideoPermissions“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditVideo
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditVideo“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamDeleteVideo“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditUserSettings
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditUserSettings“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditAdminTenantSettings
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditAdminTenantSettings“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateVideoComment
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamCreateVideoComment“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideoComment
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamDeleteVideoComment“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoTextTrackUpload
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoTextTrackUpload“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideoTextTrack
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamDeleteVideoTextTrack“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoThumbnailUpload
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoThumbnailUpload“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateVideo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamCreateVideo“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url_back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
DlpRuleMatch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang DlpRuleMatch und die Arbeitslast Exchange/SharePoint/OneDrive aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
|
|
| SharePointMetaData | network.http.referral_url
|
| ExchangeMetaData | network.email.from
|
| ExceptionInfo | about.labels.key/value
|
| PolicyDetails | target.resource.product_object_id
|
| IncidentId | about.labels.key/value
|
| Version | metadata.product_version
|
| Site | target.labels.key/value
|
| ItemType | target.resource.attribute.labels.key/value
|
| EventSource | principal.application
|
| SourceName | principal.labels.key/value
|
| UserAgent | network.http.user_agent
|
| MachineDomainInfo | target.asset.attribute.labels.key/value
|
| MachineId | target.asset.product_object_id
|
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpRuleUndo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DlpRuleRückgängig“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
| SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
| ExceptionInfo | about.labels.key/value |
| PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
| IncidentId | about.labels.key/value |
| Version | metadata.product_version |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpInfo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DlpInfo“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
| SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
| ExceptionInfo | about.labels.key/value |
| PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
| IncidentId | about.labels.key/value |
| Version | metadata.product_version |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
MipLabel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MipLabel“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to network.email.mail_id |
|
| ApplicationMode | about.labels.key/value |
| ItemName | network.email.subject |
| LabelAppliedDateTime | principal.labels.key/value |
| LabelId | target.resource.product_object_id |
| LabelName | target.resource.name |
| Receivers | network.email.to |
| Sender | network.email.from |
| Version | metadata.product_version |
SiteCollectionCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionCreated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| Version | metadata.product_version |
SiteDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteDeleted“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| MachineId | target.asset.product_object_id |
PreviewModeEnabledSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PreviewModeEnabledSet“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
OfficeOnDemandSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „OfficeOnDemandSet“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteJoined
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HubSiteJoined“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteRegistered
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HubSiteRegistered“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteUnjoined
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HubSiteUnjoined“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteUnregistered
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HubSiteUnregistered“ und die Arbeitslast „HubSiteUnregistered“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SharingPolicyChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SharingPolicyChanged“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| AssertingApplicationId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
NetworkAccessPolicyChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NetworkAccessPolicyChanged“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.ip
target.labels.key/value if Name is IPAddressAllowList then NewValue is mapped to target.ip else target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
AlertEntityGenerated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AlertEntityGenerated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AlertTriggered
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AlertTriggered“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AlertUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AlertUpdated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
Compliance-Fall abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceCase“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
CaseHoldPolicy abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-CaseHoldPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
ComplianceSearch abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Entfernen einer CaseHoldPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-CaseHoldPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Set-CaseHoldPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CaseHoldPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Neue Fall-Hold-Regel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-CaseHoldRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Remove-CaseHoldRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-CaseHoldRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-CaseHoldRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CaseHoldRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
ComplianceSearchAction abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceSearchAction“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Neuer Compliance-Fall
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceCase“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.name |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
ComplianceFall entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceCase“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Compliancefall festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ComplianceCase“ und die Arbeitslast „Set-ComplianceCase“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Compliance-Fallmitglied hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-ComplianceCaseMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
ComplianceFallmitglied entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceCaseMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Compliance-Fallmitglied aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update-ComplianceCaseMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Neue ComplianceSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Entfernen-ComplianceSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-ComplianceSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
ComplianceSearch starten
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Start-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Stop-ComplianceSearch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Stop-ComplianceSearch“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Neue ComplianceSearchAction
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceSearchAction“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Entfernen-ComplianceSearchAction
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceSearchAction“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Neuer ComplianceSecurityFilter
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceSecurityFilter“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
ComplianceSecurityFilter entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceSecurityFilter“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
ComplianceSecurityFilter festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ComplianceSecurityFilter“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Add-eDiscoveryCaseAdmin hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-eDiscoveryCaseAdmin“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Entfernen-eDiscoveryCaseAdmin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-eDiscoveryCaseAdmin“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Richtlinie für neue Anfrage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-CaseHoldPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-AadProtectionLevel
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-AadProtectionLevel“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-AutoSensitivityLabelPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-AutoSensitivityLabelPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-DlpSensibleInformationType
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-DlpsensitiveInformationType“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Label abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-Label“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
LabelPolicy abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-LabelPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
PolicyConfig abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-PolicyConfig“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
ValidaterbacAccessCheck
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ValidaterbacAccessCheck“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| AadAppId | target.labels.key/value |
| DataType | security_result.description |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| Version | metadata.product_version |
ApplicableAdaptiveScopeChange
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AppliedAdaptiveScopeChange“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.resource.product_object_id
If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id |
| CorrelationId | security_result.detection_fields |
| ObjectType | security_result.summary |
NewComplianceTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NewComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NewRetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NewRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveComplianceTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemoveComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemoveRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetComplianceTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SetComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SetRetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SetRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Get-CsTeamsUpgradeOverridePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-CsTeamsUpgradeOverridePolicy“ und die Arbeitslast „SkypeForBusiness“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | security_result.description
If Name is Tenant then Value is mapped to tenate_value If Name is Identity then Vale is mapped to identity_value security_result.description is Tenant = {tenate_value} / Identity = {identity_value} |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
TeamsAdminAction
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TeamsAdminAction“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
If ResultStatus is Succeeded then Action is set to ALLOW If ResultStatus is Failed then Action is set to BLOCK |
|
| AdminActionDetail | security_result.summary |
| ClientApplication | network.http.user_agent |
| ExtraProperties | additional.fields.key/value.string_value |
| UserClaims | security_result.description |
| Version | metadata.product_version |
DistributionGroupMember aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update-DistributionGroupMember“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.description
target.group.product_object_id or target.group.email_addresses target.group.attribute.labels.key/value If Name is Members then Value is mapped to security_result.description If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
SupervisoryReviewOLAudit
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SupervisoryReviewOLAudit“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
extract auditscore form ResultStatus using ResultStatus .*?Score:{auditScore} and map with security_result.confidenece_details is {auditScore} security_result.confidence will map based on auditScore |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ExchangeDetails | network.direection
network.email.from network.email.mail_id network.email.to network.email.subject If Directionality is Incoming then network.direction is mapped to INBOUND If Directionality is Outgoining then network.direction is mapped to OUTBOUND From is mapped to network.email.from InternetMessageId is mapped to network.email.mail_id Recipients is mapped to network.email.to Subject is mapped to network.email.subject |
| Version | metadata.product_version |
CrmDefaultActivity
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CrmDefaultActivity“ und die Arbeitslast „CRM“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| CrmOrganizationUniqueName | principal.resource.name |
| InstanceUrl | target.url |
| ItemUrl | principal.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| Fields | about.labels.key/value |
| EntityId | principal.labels.key/value |
| EntityName | principal.labels.key/value |
| Message | security_result.summary |
| Query | security_result.description |
| PrimaryFieldValue | about.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| QueryResults | about.labels.key/value |
| ServiceContextId | principal.labels.key/value |
| ServiceContextIdType | about.labels.key/value |
| ServiceName | principal.application |
| SystemUserId | principal.labels.key/value |
| Version | metadata.product_version |
TIMailData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TIMailData“ und die Arbeitslast „ThreatIntelligence“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
ObjectId is set to metadata.product_log_id |
|
| AttachmentData | about.file.full_path
about.file.mime_type about.file.sha256 security_result.category_details AttachmentData.FileName is mapped to about.file.full_path AttachmentData.FileType is mapped to about.file.mime_type AttachmentData.SHA256 is mapped to about.file.sha256 AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details |
| DetectionType | security_result.summary |
| DetectionMethod | security_result.description |
| InternetMessageId | about.labels.key/value |
| NetworkMessageId | about.labels.key/value |
| P1Sender | principal.user.email_addresses |
| P2Sender | network.email.from |
| Policy | security_result.rule_name |
| PolicyAction | security_result.action
PolicyAction is Quarantine then action is set to QUARANTINE PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION |
| Recipients | network.email.to |
| SenderIp | src.ip |
| Subject | network.email.subject |
| Verdict | security_result.category |
| MessageTime | target.resource.attribute.labels.key/value |
| EventDeepLink | metadata.url_back_to_product |
| DeliveryAction | about.labels.key/value |
| OriginalDeliveryLocation | about.labels.key/value |
| LatestDeliveryLocation | about.labels.key/value |
| Directionality | network.direction |
| ThreatsAndDetectionTech | about.labels.key/value |
| AdditionalActionsAndResults | about.labels.key/value |
| Connectors | about.labels.key/value |
| AuthDetails | about.labels.key/value |
| PhishConfidenceLevel | about.labels.key/value |
| Version | metadata.product_version |
SearchMtpStatus
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchMtpStatus“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| Version | metadata.product_version |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
RemovedFromSiteCollection
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedFromSiteCollection“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupType | target.group.group_display_name
target.user.userid target.user.email_addresses |
| WebId | about.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
CommentsDisabled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CommentsDisabled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| WebId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileRecycled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
CommentsEnabled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CommentsEnabled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| ApplicationDisplayName | target.application |
FolderRecycled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FolderRecycled“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
FileTranscriptRequested
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileTranskriptRequested“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
WACTokenShared
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WACTokenShared“ und die Arbeitslast „SharePoint/OneDrive“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
Label aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Label aktualisieren“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
SiteLocksChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteLocksChanged“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteIBModeSet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteIBModeSet“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteDesignInvoked
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteDesignInvoked“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
SiteDesignId is mapped to target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteContentTypeCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteContentTypeCreated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| ListTitle | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteCollectionQuotaModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteCollectionQuotaModified“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
ShortcutAdded
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShortcutAdded“ und die Arbeitslast „SharePoint“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SPOIBIsEnabled
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SPOIBIsEnabled“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
WebAccessRequestApproverModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „WebAccessRequestApproverModified“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ModifiedProperties | target.labels.key/value
if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
Set-TransportConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-TransportConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| AppId | target.labels.key/value |
| Parameters | principal.user.email_addresses
principal.user.userid If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid |
Mandantenobjekt-Version festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-TenantObjectVersion“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value
If Name is DomainController then Value is mapped to target.administrative_domain else target.labels.key/value |
Set-RecipientEnforcementProvisioningPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-RecipientEnforcementProvisioningPolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
PolicyConfig festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-PolicyConfig“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to ACCESS_POLICY |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
OwaMailboxPolicy festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-OwaMailboxPolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Postfach-Plan festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-MailboxPlan“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-LabelProperties
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-LabelProperties“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
Label festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-Label“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-ExchangeAssistanceConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ExchangeAssistanceConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.url
target.labels.key/value If Name is PrivacyStatementURL then Value is mapped to target.url else target.labels.key/value |
ConditionalAccessPolicy festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ConditionalAccessPolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
| SessionID | network.session_id |
New-ConditionalAccessPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ConditionalAccessPolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
| SessionID | network.session_id |
RemovedSearchReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemovedSearchReport“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
PrivacyManagementPolicy abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-PrivacyManagementPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
AufbewahrungCompliancePolicy festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-RetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Parameters | target.process.command_line |
SearchTrialOffer
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchTrialOffer“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchTIKustoClusterInformation
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchTIKustoClusterInformation“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchMtpRoleInfo
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchMtpRoleInfo“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchMailflowForwardingData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchMailflowForwardingData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchDataInsightsSubscription
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchDataInsightsSubscription“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchCustomerInsight
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchCustomerInsight“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchConnectorReportData
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchConnectorReportData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertAggregate
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchAlertAggregate“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlert
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchAlert“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AddressListPaging aktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Enable-AddressListPaging“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Install-AdminAuditLogConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Install-AdminAuditLogConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
AccessedAggregates
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessedAggregates“ und die Arbeitslast „Mip“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| DataType | security_result.description |
| version | metadata.product_version |
AccessedSiteList
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AccessedSiteList“ und die Arbeitslast „Mip“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| DataType | security_result.description |
| version | metadata.product_version |
Install-DataClassificationConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Install-DataClassificationConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-UnifiedGroup
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-UnifiedGroup“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. if ResultStatus is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| SessionId | network.session_id |
ApplicableAdaptivePolicyChange
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AppliedAdaptivePolicyChange“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | security_result.detection_fields.key/value.
target.resource.product_object_id if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value. if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id |
| ObjectType | security_result.summary |
Get-AppRetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-AppRetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{:target_resource_product_object_id}\ } } |
Neue-AppRetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-AppRetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| ClientRequestId | principal.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name target.resource.product_object_id Extract Policy and Name using grok Name is mapped to target.resource.name Policy is mapped to target.resource.product_object_id |
| StartTime | target.resource.attribute.creation_time |
Neue AppRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-AppRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| ClientRequestId | principal.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| StartTime | target.resource.attribute.creation_time |
AppRetentionCompliancePolicy festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-AppRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
Install-DefaultSharingPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Install-DefaultSharingPolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Install-ResourceConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Install-ResourceConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Neues Postfach
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-Mailbox“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
Postfach-Ordnerberechtigung hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-MailboxFolderPermission“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.user.user_display_name target.user.attribute.permissions.name target.labels.key/value If Name is Identity then Value is mapped to target.resource.name If Name is User then Value is mapped to target.user.user_display_name If Name is AccessRights then Value is mapped to target.user.attribute.permissions.name else target.labels.key/value |
Richtlinie für neue Labels
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-LabelPolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Neues Label
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-Label“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Aktivitätswarnung erhalten
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ActivityAlert“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Warnung wegen Schutzmaßnahme erhalten
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ProtectionAlert“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchComplianceCase
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchComplianceCase“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
ComplianceTag entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-ComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Entfernen-AppRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-AppRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Entfernung-AufbewahrungCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-RetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Neues ComplianceTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ComplianceTagStorage aktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Enable-ComplianceTagStorage“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ComplianceRetentionEventType
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceRetentionEventType“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AggregateActivityData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateActivityData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Compliance-Tag festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-ComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-FilePlanPropertyStructure
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-FilePlanPropertyStructure“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Neu-ComplianceRetentionEventType
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ComplianceRetentionEventType“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is mapped to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name target_resource_name is mapped to target.resource.name |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-DlpSensibleInformationTypeRulePackage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-DlpsensitiveInformationTypeRulePackage“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ComplianceRetentionEvent abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceRetentionEvent“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ComplianceSecurityFilter
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ComplianceSecurityFilter“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Quarantäne-Nachricht abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-QuarantäneMessage“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AggregateThreatProfileDetails
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateThreatProfileDetails“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-DlpDetectionsReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-DlpDetectionsReport“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-AppRetentionCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-AppRetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Rolle-Gruppenmitglied hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-RoleGroupMember“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
Rollengruppenmitglied aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update-RoleGroupMember“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
Neue Rollengruppe
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-RoleGroup“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| SessionId | network.session_id |
| ClientAppId | target.labels.key/value |
Provisioning-ComplianceMailboxFolder
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Provision-ComplianceMailboxFolder“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.product_object_id
target.labels.key/value need to discuss mapping of MultiStageReviewFolderSetting in parameter fields If Name is FolderName then Value is mapped to target.resource_product_object_id else target.labels.key/value |
Postfach entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-Mailbox“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.name
target.labels.key/value If Name is Identity then Value is mapped to target.resource.name else target.labels.key/value |
Neue Quarantänerichtlinie
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-QuarantänePolicy“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.name
target.labels.key/value If Name is Name then Value is mapped to target.resource.name All other parameters will map with target.labels.key/value |
| SessionId | network.session_id |
Rollengruppe abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-RoleGroup“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchLabelAnalyticsActivityData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchLabelAnalyticsActivityData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-DlpCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-DlpCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
SearchSecurityRedirection
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchSecurityWeiterleitungion“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Compliance-Fallmitglied abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceCaseMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
HoldViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HoldViewed“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
Get-eDiscoveryCaseAdmin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-eDiscoveryCaseAdmin“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RoleGroupMember
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-RoleGroupMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ManagementRole
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ManagementRole“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Rollengruppe festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-RoleGroup“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.group.group_display_name
target.process.command_line Extract DisplayName using grok Name is mapped totarget.group.group_display_name |
| Version | metadata.product_version |
| ResultCountSecurityComplianceCenterEventType | about.labels.key/value |
SecurityPrincipal abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-SecurityPrincipal“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
CaseHoldRule abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-CaseHoldRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ViewedSearchReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewedSearchReport“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.summary |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
AdaptiveScope abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-AdaptiveScope“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AufbewahrungCompliancePolicy abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-RetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Neue ComplianceCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-RetentionCompliancePolicy“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Neue-RetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-RetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Compliance-Tag abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-ComplianceTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Set-RetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-RetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RegulatoryComplianceUI
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-RegulatoryComplianceUI“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-RetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-AdaptiveScope
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-AdaptiveScope“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AdaptiveScopeStorage aktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Enable-AdaptiveScopeStorage“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchCustomTag
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchCustomTag“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Rechtliche Compliance-Benutzeroberfläche festlegen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-RegulatoryComplianceUI“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
RemoveRetentionComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „RemoveRetentionComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | If Name is CmdletOptions then store value of Value in process_args variable.
If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} The name and value for the parameters that were used with the corresponding cmdlet. |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
NewAdaptiveScope
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „NewAdaptiveScope“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
The name and value for the parameters that were used with the corresponding cmdlet. If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| ObjectType | security_result.summary |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
CommentCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CommentCreated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| CommentId | about.labels.key/value |
DeviceAccessPolicyChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeviceAccessPolicyChanged“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ModifiedProperties | target.labels.key/value |
HeartBeat
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „HeartBeat“ und die Arbeitslast „Aip“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| Version | metadata.product_version |
MessageCreation
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageCreation“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
| MessageID | target.resource.product_object_id |
ThreadViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ThreadViewed“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
| ThreadID | about.labels.key/value |
StreamEditAdminGlobalRoleMembers
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamEditAdminGlobalRoleMembers“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeGetTextTrack
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeGetTextTrack“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeChannelView
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeChannelView“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoMakePublic
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeVideoMakePublic“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeGroupView
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeGroupView“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
Set-CsOnlineDirectoryTenant
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CsOnlineDirectoryTenant“ und die Arbeitslast „SkypeForBusiness“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
Set-CsHostedVoicemailPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-CsHostedMailboxnachrichtPolicy“ und die Arbeitslast „SkypeForBusiness“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.administrative_domain
target.url target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain If Name is Destination then Value is mapped to target.url else target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
Get-CSSimpleUrlConfiguration
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-CSSimpleUrlConfiguration“ und die Arbeitslast „SkypeForBusiness“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.administrative_domain
target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain else target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
New-ExchangeAssistanceConfig
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-ExchangeAssistanceConfig“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Neue App
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-App“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
PublishToWebReport
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PublishToWebReport“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
UpdateGateway
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdateGateway“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| GatewayId | target.resource.product_object_id |
ShareDataset
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ShareDataset“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| ArtifactId | target.resource.product_object_id |
| ArtifactName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| SharingAction | about.labels.key/value |
GetRefreshablesAsAdmin
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GetRefreshablesAsAdmin“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
CreateTagJob
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateTagJob“ und die Arbeitslast „Compliance“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| CaseID | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
Delegierte Berechtigungszuweisung hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Add delegated permission grant und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | target.resource.product_object_id
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If |
| TargetContextId | target.labels.key/value
|
Zuweisung von App-Rollen zum Diensthauptkonto hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add app Rollenzuweisung zum Diensthauptkonto hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summary If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
In Anwendung aktualisieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Update to application“ (Auf Anwendung aktualisieren) und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Anwendung aktualisieren – Verwaltung von Zertifikaten und Secrets
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Update application – Certificates and secrets management und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
if |
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
|
| TargetContextId | target.labels.key/value
|
Inhaber zur Anwendung hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add Owner to Application“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Application.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.labels.key/value |
| TargetContextId | target.labels.key/value |
Zur Anwendung hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Zu Anwendung hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Gerätekonfiguration hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerätekonfiguration hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Unbestätigte Domain hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Nicht bestätigte Domain hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is Name then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
Richtlinie hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Richtlinie hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
CreateResponse
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „CreateResponse“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
EditForm
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „EditForm“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
SubmitResponse
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SubmitResponse“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ViewResponses
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewResponses“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ViewRuntimeForm
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ViewRuntimeForm“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
DeleteFlow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „DeleteFlow“ und die Arbeitslast „MicrosoftForms“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| FormsUserTypes | target.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ListViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListViewed“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| ItemCount | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| TemplateTypeId | about.labels.key/value |
ListColumnUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListColumnUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListContentTypeUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListContentTypeUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListItemDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListItemDeleted“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| ItemCount | target.labels.key/value |
ListItemCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListItemCreated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ItemCount | target.labels.key/value |
ListColumnCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListColumnCreated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ItemCount | target.labels.key/value |
SiteContentTypeUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SiteContentTypeUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListItemViewed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListItemViewed“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| ItemCount | target.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListItemUniqueId | principal.asset_id |
ListItemUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ListItemUpdated“ und die Arbeitslast „SharePoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| target.file.size | target.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListItemUniqueId | principal.asset_id |
FileRenamed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileUmbenennend“ und die Arbeitslast „Endpunkt“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileType | target.resource.attribute.labels.key/value |
| PreviousFileName | src.file.full_path |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
UpdatePowerApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UpdatePowerApp“ und die Arbeitslast „PowerApps“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AppName | target.labels.key/value |
| Id | metadata.product_log_id |
SubscribedToMessages
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SubscribedToMessages“ und die Arbeitslast „MicrosoftTeams“ aufgelistet:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| ExtraProperties | additional.fields.key/value.string_value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageCreatedNotification
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageCreatedNotification“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| MessageVersion | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageUpdatedNotification
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageUpdatedNotification“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| MessageVersion | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageCreatedHasLink
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageCreatedHasLink“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessagesListed
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für die Operation „MessagesListed“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| ChannelGuid | target.resource.product_object_id |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
PerformedCardAction
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „PerformedCardAction“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| CommunicationType | about.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
MessageEditedHasLink
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageEditedHasLink“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MeetingParticipantDetail
In der folgenden Tabelle sind die Protokollfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MeetingParticipantDetail“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Attendees | about.resource.product_object_id
about.user.product_object_id about.user.attribute.roles.name OrganizationId is mapped to about.resource.product_object_id Role is mapped to about.user.attribute.roles.name UserObjectId is set to about.user.product_object_id |
| ExtraProperties | additional.fields.key/value.string_value |
| JoinTime | target.resource.attribute.creation_time |
| LeaveTime | target.resource.attribute.last_update_time |
| MeetingDetailId | target.resource.product_object_id |
| Version | metadata.product_version |
MeetingDetail
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MeetingDetail“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| StartTime | target.resource.attribute.creation_time |
| EndTime | target.resource.attribute.last_update_time |
| ExtraProperties | additional.fields.key/value.string_value |
| MeetingURL | target.url |
| MessageId | target.resource.product_object_id |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| Modalities | security_result.summary |
| Organizer | principal.user.product_object_id |
| Version | metadata.product_version |
MessageUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageUpdated“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| MessageId | target.resource.product_object_id |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| Version | metadata.product_version |
AggregateTransportQueueData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateTransportQueueData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeCustomerInsight
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AuthorizeCustomerInsight“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeConnectorReportData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AuthorizeConnectorReportData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertOverride
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchAlertOverride“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeMailflowForwardingData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AuthorizeMailflowForwardingData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchDomainTrafficStatus
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchDomainTrafficStatus“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertActivity
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchAlertActivity“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateMailmetadata
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateMailmetadata“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
InsightGenerated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „InsightGenerated“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Category | security_result.category_details |
| Description | security_result.description |
| InsightId | target.resource.product_object_id |
| Name | target.resource.name |
| Version | metadata.product_version |
UserSubmission
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserSubmission“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is MAIL_SPAM |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| KesMailId | network.email.mail_id |
| ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
| P1SenderDomain | principal.administrative_domain |
| Recipients | network.email.to |
| SenderIP | principal.ip |
| Subject | network.email.subject |
| P2Sender | network.email.from |
| SubmissionState | security_result.summary |
| P1Sender | principal.user.email_addresses |
| Version | metadata.product_version |
SaveRoleGroupMember
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SaveRoleGroupMember“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateCampaignIntelligenceData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateCampaignIntelligenceData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchEmailTimelineEvents
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchEmailTimelineEvents“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertStory
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchAlertStory“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateThreatDetailsBulk
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AggregateThreatDetailsBulk“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
User abrufen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-User“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-DlpComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Get-DlpComplianceRule“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AnalyzedByExternalApplication
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AnalyzedByExternalApplication“ und die Arbeitslast „Power BI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.name |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
New-MigrationBatch
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-MigrationBatch“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.administrative_domain target.resource.attribute.key/value If Name is Name then Value is mapped to target.resource.name if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain If Name is AutoStart then Value is mapped to target.resource.attribute.key/value If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value |
| SessionId | network.session_id |
UserSubmissionTriage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „UserSubmissionTriage“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is set to MAIL_SPAM |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
| GradingResult | security_result.category_details |
| KesMailId | network.email.mail_id |
| P1Sender | principal.user.email_addresses |
| P1SenderDomain | principal.administrative_domain |
| P2Sender | network.email.from |
| Recipients | network.email.to |
| SenderIP | principal.ip |
| Subject | network.email.subject |
| SubmissionState | security_result.summary |
FileArchived
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileArchiviert“ und die Arbeitslast „Endpunkt“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileCreatedOnNetworkShare
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCreatedOnNetworkShare“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATION | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileCreatedOnRemovableMedia
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileCreatedOnRemovableMedia“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATION | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
SlimFilePrinted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SlimFilePrinted“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
| Application | target.application |
| DeviceName | target.hostname |
| FileType | target.resource.attribute.labels.key/value |
| TargetPrinterName | target.asset.hostname |
| Version | metadata.product_version |
FilePrinted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FilePrinted“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetPrinterName | target.asset.hostname |
| Version | metadata.product_version |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| PreviousFileName | src.file.full_path |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
ArchiveCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ArchiveCreated“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileDownloadedFromBrowser
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „FileDownloadedFromBrowser“ und die Arbeitslast „Endpoint“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
Anwendungspasswort für Nutzer erstellen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Anwendungspasswort für Nutzer erstellen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
SearchNdrDetailData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „SearchNdrDetailData“ und die Arbeitslast „SecurityComplianceCenter“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
MessageUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageUpdated“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
Zugriff
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Access“ und die Arbeitslast „Aip“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| DataState | security_result.summary |
| Version | metadata.product_version |
Entdecken
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Discover“ und die Arbeitslast „Aip“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| DataState | security_result.summary |
| Version | metadata.product_version |
TIUrlClickData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „TIUrlClickData“ und die Arbeitslast „ThreatIntelligence“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.application |
| AppVersion | metadata.product_version |
| EventDeepLink | metadata.url_back_to_product |
| SourceId | AppName is Mail then SourceId is mapped to network.email.id |
| Url | target.url |
| UserIp | principal.ip |
| Version | metadata.product_version |
Gerät nicht mehr verwaltet
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät nicht mehr verwaltet“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is set to DEVICE |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.asset.product_object_id
target.platform If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
AirInvestigationData
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „AirInvestigationData“ und die Arbeitslast „AirInvestigation“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| LastUpdateTimeUtc | target.resource.attribute.last_update_time |
| Status | security_result.summary |
| InvestigationId | target.resource.product_object_id |
| InvestigationType | target.resource.attribute.labels.key/value |
| Data | security_result.description
security_result.category_details network.email.to network.email.from network.email.mail_id network.email.subject network.direction principal.ip principal.administrative_domain principal.user.email_addresses Data.Description is mapped to security_result.description Data.Category is mapped to security_result.category_details Data.Entities.1.Recipient is mapped to network.email.to Data.Entities.1.Sender is mapped to network.email.from Data.Entities.1.InternetMessageId is mapped to network.email.mail_id Data.Entities.1.Subject is mapped to network.email.subject Data.Entities.1.AntispamDirection is mapped to network.direction Data.Entities.1.SenderIP is mapped to principal.ip Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain Data.Entities.1.P1Sender is mapped to principal.user.email_addresses |
| InvestigationName | target.resource.name |
| StartTimeUtc | target.resource.attribute.creation_time |
| Version | metadata.product_versionn |
| DeepLinkUrl | metadata.url_back_to_product |
Set-MailboxJunkEmailConfiguration (Postausgangs-E-Mail-Konfiguration)
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-MailboxJunkEmailConfiguration“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.user.email_addresses
If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated) |
| SessionId | network.session_id |
| Version | metadata.product_version |
Neue Verteilergruppe
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-DistributionGroup“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Member then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
Verteilergruppenmitglied hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add-DistributionGroupMember“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
Regel zum Entfernen des Posteingangs
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-InboxRule“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.rule_labels.key/value |
| SessionId | network.session_id |
Postfach aktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Enable-Mailbox“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value |
| SessionId | network.session_id |
Importieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Import“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| SwitchState | about.labels.key/value |
| ImportSource | about.labels.key/value |
| ImportType | target.file.mime_type |
| ImportDisplayName | target.file.full_path |
Gerät nicht mehr konform
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Gerät nicht mehr konform“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to DEVICE |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.resource.product_object_id If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Konto aktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Enable account und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| version | metadata.product_version
|
| TargetContextId | target.labels.key/value
|
Anmeldedaten für Diensthaupt hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Anmeldedaten des Diensthaupts hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Set-SyncUser
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Set-SyncUser“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
| SessionId | network.session_id |
MessageSent
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „MessageSent“ und die Arbeitslast „MicrosoftTeams“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| ChannelGuid | target.labels.key/value |
| OperationScope | about.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| MessageId | target.resource.product_object_id |
| Version | metadata.product_version |
| MessageVersion | target.resource.attribute.labels.key/value |
Anmeldedaten des Diensthauptkontos entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Anmeldedaten des Diensthaupts entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Entfernen-Verschieben-Anfrage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Remove-MoveRequest“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value |
StreamInvokeGetTranscript
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „StreamInvokeGetTranskript“ und die Arbeitslast „MicrosoftStream“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
Inhaber aus Gruppe entfernen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Inhaber aus Gruppe entfernen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Zuweisung von App-Rollen zu Gruppe hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Add app Rollenzuweisung to group“ (Anwendungsrollenzuweisung zu Gruppe hinzufügen) und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name target.group.group_display_name If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
E-Mail-User deaktivieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Disable-MailUser“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is True Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
New-FolderMoveRequest
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „New-FolderMoveRequest“ und die Arbeitslast „Exchange“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | If Name is Name then Value is mapped to target.resource.name
If Name is DomainController then Value is mapped to target.administrative_domain If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value |
Inhaber zu Richtlinie hinzufügen
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „Inhaber zu Richtlinie hinzufügen“ und die Arbeitslast „AzureActiveDirectory“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent
if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id
If Name is Policy.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
EditContentProviderProperties
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „EditContentProviderProperties“ und die Arbeitslast „PowerBI“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | We map this field based on value of UpdateApp Operation value.
recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | RecipientEmail is mapped to about.user.email_addresses
RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| SwitchState | about.labels.key/value |
| ContentProviderCertificationStage | security_result.summary |
| AppId | target.labels.key/value |
| RequestId | about.labels.key/value |
ReportingAccessed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „ReportingAccessed“ und die Arbeitslast „Project“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
GroupAccessFailure
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang „GroupAccessFailure“ und die Arbeitslast „Yammer“ aufgeführt:
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description is set to IsSoftDelete - {IsSoftDelete} |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileSensitivityLabelChanged
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang FileSensitivityLabelChanged und die Arbeitslast SharePoint/OneDrive aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
|
|
| AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| DestinationFileExtension | target.file.mime_type |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationLabel | target.labels |
| EventSource | principal.application |
| HighPriorityMediaProcessing | about.labels |
| IsManagedDevice | about.labels |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListServerTemplate | security_result.detection_fields.key/value |
| SensitivityLabelEventData.ActionSource | principal.labels.key/value |
| SensitivityLabelEventData.LabelEventType | target.labels.key/value |
| SensitivityLabelEventData.OldSensitivityLabelId | target.resource.product_object_id |
| SensitivityLabelEventData.OldSensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
| SourceRelativeUrl | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
| SourceLabel | src.labels.key/value |
| UserAgent | network.http.user_agent |
| UserKey | target.labels |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
FileRead
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang FileRead und die Arbeitslast Endpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_READ
|
|
| Application | principal.application |
| DeviceName | target.hostname |
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
| EnforcementMode | target.labels |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Hidden | security_result.detection_fields.key/value |
| JitTriggered | security_result.detection_fields.key/value |
| MDATPDeviceId | security_result.detection_fields.key/value |
| PolicyMatchInfo | target.resource.product_object_id
|
| RMSEncrypted | security_result.detection_fields.key/value |
| SensitiveInfoTypeData | security_result.detection_fields.key/value
|
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
MessageReadReceiptReceived
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang MessageReadReceiptReceived und die Arbeitslast MicrosoftTeams aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE |
|
| ChatThreadId | target.user.group_identifiers
|
| CommunicationType | about.labels.key/value |
| MessageId | target.resource.product_object_id |
| MessageVersion | target.resource.attribute.labels.key/value |
| MessageVisibilityTime | target.resource.attribute.labels.key/value |
| ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value |
| ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value |
Suche
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Search und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED |
|
| AadAppId | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| Version | metadata.product_version |
| DataType | security_result.description |
TaskDeleted
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskDeleted und die Arbeitslast MicrosoftTodo aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_DELETION
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
TaskUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskUpdated und die Arbeitslast MicrosoftTodo aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
TaskCreation
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskCreation und die Arbeitslast MicrosoftTodo aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_CREATION
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
SecurityGroupModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang SecurityGroupModified und die Arbeitslast Project aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GROUP_MODIFICATION |
|
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| UserKey | target.labels |
| Version | metadata.product_version |
| AppAccessContext.UniqueTokenId | target.labels |
| AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
LaunchPowerApp
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang LaunchPowerApp und die Arbeitslast PowerApps aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GENERIC_EVENT |
|
| AppName | target.labels.key/value
|
| Version | metadata.product_version |
DeleteDatasetRows
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang DeleteDatasetRows und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION.
If
else |
|
| UserAgent | network.http.user_agent
|
| WorkSpaceName | target.resource.attribute.labels.key/value
|
| DatasetName | target.resource.attribute.labels.key/value
|
| WorkspaceId | target.resource.attribute.labels.key/value
|
| DatasetId | target.resource.product_object_id
|
| DataConnectivityMode | target.resource.attribute.labels.key/value
|
| ArtifactId | target.resource.attribute.labels.key/value
|
| RequestId | about.labels.key/value
|
| ActivityId | principal.labels.key/value
|
| TableName | target.resource.attribute.labels.key/value
|
| LastRefreshTime | about.labels.key/value
|
| ArtifactKind | target.resource.attribute.labels.key/value
|
Neue DlpCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang New-DlpCompliancePolicy und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
Neue DlpComplianceRule
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang New-DlpComplianceRule und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
Get-InsiderRiskPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Get-InsiderRiskPolicy und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
Set-HostedContentFilterPolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Set-HostedContentFilterPolicy und die Arbeitslast Exchange aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
If
else |
|
| ExternalAccess | about.labels.key/value
|
| ObjectId | target.resource.product_object_id
|
| Version | metadata.product_version
|
| Parameters | target.resource.attribute.labels.key/value
|
| UserKey | target.labels.key/value
|
Starke Authentifizierung aktivieren.
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Enable Strong Authentication. und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
|
|
| ExtendedProperties | If Name is equal to additionalDetails then User-Agent is mapped with network.http.user_agent
else if else |
| ModifiedProperties | If Name is equal to Included Updated Properties then NewValue is mapped with security_result.summary
else |
ReactedToMessage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ReactedToMessage und die Arbeitslast MicrosoftTeams aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.IssuedAtTime | target.labels.key/value
|
| AppAccessContext.UniqueTokenId | target.labels.key/value
|
| ChatThreadId | target.user.group_identifiers
|
| ChatThreadId | target.group.product_object_id
|
| MessageReactionType | target.resource.attribute.labels.key/value
|
| ChatName | target.group.group_display_name
|
| MessageId | target.resource.product_object_id
|
| ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value
|
RemovableMediaUnmount
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang RemovableMediaUnmount und die Arbeitslast Endpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| MDATPDeviceId | target.asset.asset_id
|
| Platform | target.labels.key/value
|
| Scope | target.labels.key/value
|
| RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
| RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
| RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
FileUploadedToCloud
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang FileUploadedToCloud und die Arbeitslast Endpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_SYNC.
|
|
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value
|
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value
|
| EnforcementMode | target.labels.key/value
|
| EvidenceFile.FullUrl | target.file.full_path
|
| EvidenceFile.StorageName | target.file.names
|
| Hidden | security_result.detection_fields.key/value
|
| JitTriggered | security_result.detection_fields.key/value
|
| MDATPDeviceId | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.Count | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.Confidence | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value
|
| TargetPrinterName | target.asset.hostname
|
target.asset.type is set to PRINTER | |
| TargetDomain | target.labels.key/value
|
GenerateDataflowSasToken
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang GenerateDataflowSasToken und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS.
|
|
| DataflowAccessTokenRequestParameters.entityName | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.partitionUri | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.permissions | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes | principal.labels.key/value
|
| DataflowId | target.resource.product_object_id
|
| DataflowName | target.resource.name
|
| IsSuccess |
If
else |
| ItemName | target.labels.key/value |
GenerateScreenshot
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang GenerateScreenshot und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
MDCAssessments
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang MDCAssessments und die Arbeitslast CompliancePostureManagement aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
|
|
| PropertyBag.AssessmentStatusPerInitiative.ArnEventId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.CloudProvider | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.CustomerResourceId | about.resource.product_object_id
|
| PropertyBag.AssessmentStatusPerInitiative.EventType | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.ResourceName | about.resource.name
|
| PropertyBag.AssessmentStatusPerInitiative.ResourceType | about.resource.resource_subtype
|
| PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusCode | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.SubscriptionId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.SubscriptionName | about.labels.key/value
|
| PropertyBag.DataType | about.labels.key/value |
RemovableMediaMount
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang RemovableMediaMount und die Arbeitslast Endpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| MDATPDeviceId | target.asset.asset_id
|
| Platform | target.labels.key/value
|
| Scope | target.labels.key/value
|
| RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
| RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
| RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
SignInEvent
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang SignInEvent und die Arbeitslast SharePoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| AuthenticationType | principal.labels.key/value
|
| BrowserName | principal.labels.key/value
|
| BrowserVersion | principal.labels.key/value
|
| DeviceDisplayName | principal.labels.key/value
|
| IsManagedDevice | principal.labels.key/value
|
ApprovedRequest
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ApprovedRequest und die Arbeitslast MicrosoftTeams aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
|
|
| ItemName | target.labels.key/value
|
CreateForm
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang CreateForm und die Arbeitslast MicrosoftForms aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| FormsUserType | target.labels.key/value
|
| SourceApp | principal.application
|
ListForms
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ListForms und die Arbeitslast MicrosoftForms aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
MDCRegulatoryComplianceAssessments
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang MDCRegulatoryComplianceAssessments und die Arbeitslast CompliancePostureManagement aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
|
|
| PropertyBag.DataType | about.labels.key/value
|
| PropertyBag.Policy.ArnEventId | about.labels.key/value
|
| PropertyBag.Policy.Description | about.labels.key/value
|
| PropertyBag.Policy.DetailsLink | about.labels.key/value
|
| PropertyBag.Policy.EventTime | about.labels.key/value
|
| PropertyBag.Policy.EventType | about.labels.key/value
|
| PropertyBag.Policy.PolicyInitiativeId | about.labels.key/value
|
| PropertyBag.Policy.PolicyInitiativeName | about.labels.key/value
|
PreviewForm
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang PreviewForm und die Arbeitslast MicrosoftForms aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
|
ViewedApprovalRequest
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ViewedApprovalRequest und die Arbeitslast MicrosoftTeams aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
|
|
| ItemName | target.labels.key/value
|
ListCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ListCreated und die Arbeitslast SharePoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.UniqueTokenId | target.labels.key/value
|
| ListColor | target.labels.key/value
|
| ListIcon | target.labels.key/value
|
SiteColumnCreated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang SiteColumnCreated und die Arbeitslast OneDrive aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| ObjectId | target.resource.product_object_id
|
ListViewUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ListViewUpdated und die Arbeitslast SharePoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.UniqueTokenId | target.labels.key/value |
| AuthenticationType | principal.labels.key/value |
| BrowserName | principal.labels.key/value |
| BrowserVersion | principal.labels.key/value |
| CustomizedDoclib | principal.labels.key/value |
| DeviceDisplayName | principal.labels.key/value |
| FromApp | principal.labels.key/value |
| IsManagedDevice | principal.labels.key/value |
| ItemCount | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| ObjectId | target.url |
| Platform | target.labels.key/value |
| RecordType | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| Source | security_result.description |
| TemplateTypeId | about.labels.key/value |
| WebId | about.labels.key/value |
TeamsUserSignedOut
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TeamsUserSignedOut und die Arbeitslast MicrosoftTeams aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_LOGOUT.
|
|
extension.auth.auth_type is mapped to SSO.
|
|
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers |
| DeviceInformation | principal.labels.key/value |
| ItemName | target.labels.key/value |
| MessageId | target.labels.key/value |
| MessageVersion | target.labels.key/value |
| ObjectId | target.labels.key/value |
| TeamGuid | target.group.product_object_id |
| TeamName | target.group.group_display_name |
| UserKey | target.labels.key/value |
| UserType | target.user.attribute.roles |
| Version | metadata.product_version |
GetWorkspaces
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang GetWorkspaces und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| Activity | about.labels.key/value |
| ActivityId | about.labels.key/value |
| AggregatedWorkspaceInformation.WorkspaceCount | target.labels.key/value |
| AggregatedWorkspaceInformation.WorkspacesByCapacitySku | target.labels.key/value |
| AggregatedWorkspaceInformation.WorkspacesByType | target.labels.key/value |
| IsSuccess | security_result.action |
| UserAgent | network.http.user_agent |
ConnectFromExternalApplication
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ConnectFromExternalApplication und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| Activity | about.labels.key/labels |
| CustomData | about.labels.key/value |
TaskListRead
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskListRead und die Arbeitslast Planner aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| UserKey | principal.labels.key/labels |
| ObjectId | target.labels.key/labels |
| TaskList | target.labels.key/value |
PutConnection
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang PutConnection und die Arbeitslast PowerApps aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ObjectId | target.labels.key/value |
| Version | metadata.product_version |
| AdditionalInfo.actionName | security_result.detection_fields.key/value |
| ResourceId | target.labels.key/value |
| UserKey | target.label.key/value |
| AdditionalInfo.environmentName | target.labels.key/value |
AdminSubmissionTablAllow
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang AdminSubmissionTablAllow und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GENERIC_EVENT. |
|
| SubmissionContent | security_result.detection_fields.key/value |
| SubmissionContentType | security_result.detection_fields.key/value |
| ObjectId | target.labels.key/value |
| Recipients | network.email.to |
| SubmissionState | security_result.summary |
| SubmissionId | security_result.detection_fields.key/value |
| ExtendedProperties | principal.labels.key/value
If Else |
| SubmissionConfidenceLevel | security_result.detection_fields.key/value |
| SubmissionType | security_result.detection_fields.key/value |
| MessageDate | about.labels.key/value |
| P1SenderDomain | principal.administrative_domain |
| UserKey | target.label.key/value |
| P2SenderDomain | about.administrative_domain |
| Subject | network.email.subject |
| Version | metadata.product_version |
Kontakt hinzufügen.
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Add contact. und die Arbeitslast AzureActiveDirectory aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_CREATION.
|
|
| ObjectId | target.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| ActorContextId | principal.labels.key/value |
| SupportTicketId | about.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| TargetContextId | target.labels.key/value |
| UserKey | target.label.key/value |
| Target | security_result.detection_fields.key/value |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ExtendedProperties | target.resource.attribute.labels.key/value
If Else |
| ModifiedProperties | target.resource.name
If Else if Else |
WorkspacePortalUrlReceived
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang WorkspacePortalUrlReceived und die Arbeitslast MicrosoftDefenderForIdentity aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ResultDescription | security_result.detection_fields.key.value |
| UserKey | target.labels.key/value |
PutConnectionPermission
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang PutConnectionPermission und die Arbeitslast PowerApps aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE.
|
|
| ObjectId | target.labels.key/value |
| Version | metadata.product_version |
| AdditionalInfo.actionName | security_result.detection_fields.key/value |
| ResourceId | target.resource.attribute.labels.key/value |
| UserKey | target.label.key/value |
| AdditionalInfo.environmentName | target.resource.attribute.labels.key/value |
| AdditionalInfo.targetObjectId | target.resource.product_object_id |
SensitivityLabeledFileOpened
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang SensitivityLabeledFileOpened und die Arbeitslast PublicEndpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_OPEN.
|
|
| PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
| CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
| DeviceName | target.hostname |
| CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| CurrentProtectionType.owner | security_result.about.email_addresses |
| TargetLocation | target.labels.key/value |
| UserKey | target.labels.key/value |
| LabelId | target.labels.key/value |
| CurrentProtectionType.templateId | security_result.detection_fields.key/value |
| ProtectionEventType | security_result.detection_fields.key/value |
| ContentType | target.labels.key/value |
| Platform | target.platform |
| UserSku | principal.labels.key/value |
| PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| ObjectId | target.url |
| PreviousProtectionType.owner | security_result.about.email_addresses |
| Application | principal.application |
| PreviousProtectionType.templateId | security_result.detection_fields.key/value |
Validieren
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Validate und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| ResultCount | target.labels.key/value |
| DataType | security_result.description |
| UserKey | target.labels.key/value |
| AadAppId | target.labels.key/value |
| RelativeUrl | target.url |
SensitivityLabeledFileRenamed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang SensitivityLabeledFileRenamed und die Arbeitslast PublicEndpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_MOVE.
|
|
| PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
| CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
| DeviceName | target.hostname |
| CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| CurrentProtectionType.owner | security_result.about.email_addresses |
| TargetLocation | target.labels.key/value |
| UserKey | target.labels.key/value |
| LabelId | target.labels.key/value |
| CurrentProtectionType.templateId | security_result.detection_fields.key/value |
| ProtectionEventType | security_result.detection_fields.key/value |
| ContentType | target.labels.key/value |
| Platform | target.platform |
| UserSku | principal.labels.key/value |
| PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| ObjectId | target.url |
| PreviousProtectionType.owner | security_result.about.email_addresses |
| Application | principal.application |
| PreviousProtectionType.templateId | security_result.detection_fields.key/value |
| PreviousTarget | src.url |
TaskModified
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskModified und die Arbeitslast Planner aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN.
|
|
| PlanId | target.resource.attribute.labels.key/value |
| UserKey | target.labels.key/value |
| ObjectId | target.resource.product_object_id |
DeleteTile
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang TaskModified und die Arbeitslast PowerBI aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_DELETION.
|
|
| WorkspaceId | target.resource.product_object_id |
| WorkSpaceName | target.resource.name |
| UserKey | target.labels.key/value |
| ActivityId | principal.labels.key/value |
| RefreshEnforcementPolicy | security_result.detection_fields.key/value |
| RequestId | about.labels.key/value |
| IsSuccess | security_result.action |
| UserAgent | network.http.user_agent |
| ObjectId | target.resource.attribute.labels.key/value |
QuarantineReleaseMessage
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang QuarantineReleaseMessage und die Arbeitslast Quarantine aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| NetworkMessageId | security_result.detection_fields.key/value |
| ReleaseTo | security_result.detection_fields.key/value |
| RequestType | security_result.detection_fields.key/value |
| RequestSource | security_result.detection_fields.key/value |
WorkspaceStatusReceived
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang WorkspaceStatusReceived und die Arbeitslast MicrosoftDefenderForIdentity aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| ResultDescription | security_result.detection_fields.key/value |
LinkedEntityUpdated
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang LinkedEntityUpdated und die Arbeitslast MicrosoftTodo aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN.
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value and target.resource.product_object_id |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
ViewResponse
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang ViewResponse und die Arbeitslast MicrosoftForms aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT. |
|
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
PlanListRead
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang PlanListRead und die Arbeitslast Planner aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_READ.
|
|
| PlanList | target.resource.product_object_id |
| ObjectId | target.resource.attribute.labels.key/value |
O365SyncAdminUserPromotion
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang O365SyncAdminUserPromotion und die Arbeitslast Yammer aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| ObjectId | target.labels.key/value |
| YammerNetworkId | principal.labels.key/value |
FileCopiedToClipboard
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang FileCopiedToClipboard und die Arbeitslast Endpoint aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED. |
|
| Application | principal.application |
| DeviceName | target.hostname |
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
| EnforcementMode | target.labels.key/value |
| EvidenceFile.FullUrl | target.labels.key/value |
| EvidenceFile.StorageName | target.labels.key/value |
| FileExtension | target.file.mime_type |
| FileType | target.resource.attribute.labels.key/value |
| Hidden | security_result.detection_fields.key/value |
| JitTriggered | security_result.detection_fields.key/value |
| MDATPDeviceId | security_result.detection_fields.key/value |
| ObjectId | target.file.full_path |
| Platform | target.labels.key/value |
| PolicyMatchInfo | target.resource.product_object_id
|
| SensitiveInfoTypeData | security_result.detection_fields.key/value
|
| Scope | target.labels.key/value |
| RMSEncrypted | security_result.detection_fields.key/value |
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| SourceLocationType | principal.labels.key/value |
| TargetDomain | target.domain.name |
| TargetFilePath | target.labels.key/value |
| OriginatingDomain | principal.domain.name |
FileTranscriptContentAccessed
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang FileTranscriptContentAccessed und die Arbeitslast OneDrive aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_READ. |
|
| AlternateStreamId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application and target.resource.name |
| ApplicationId | target.resource.product_object_id |
| AuthenticationType | principal.labels.key/value |
| AppAccessContext.UniqueTokenId | target.labels.key/value |
| BrowserName | principal.labels.key/value |
| BrowserVersion | principal.labels.key/value |
| DeviceDisplayName | principal.labels.key/value |
| IsManagedDevice | principal.labels.key/value |
| EventSource | principal.application |
| HighPriorityMediaProcessing | about.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListServerTemplate | security_result.detection_fields.key/value |
| ObjectId | target.url |
| Platform | target.labels.key/value |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is mapped to SourceRelativeUrl/SourceFileName. |
| SourceRelativeUrl | target.file.full_path is mapped to SourceRelativeUrl/SourceFileName. |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
Set-DlpCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Set-DlpCompliancePolicy und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| ClientApplication | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| ObjectId | target.resource.product_object_id |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserKey | target.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
Entfernen-DlpCompliancePolicy
In der folgenden Tabelle sind die Logfelder und die entsprechenden UDM-Zuordnungen für den Vorgang Remove-DlpCompliancePolicy und die Arbeitslast SecurityComplianceCenter aufgeführt:
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION.
|
|
| ClientApplication | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| ObjectId | target.resource.product_object_id |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserKey | target.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |