Mantieni tutto organizzato con le raccolte Salva e classifica i contenuti in base alle tue preferenze.

Raccogli i log di Microsoft 365

Questo documento descrive come puoi raccogliere i log di Microsoft 365 configurando un feed Chronicle e come vengono mappati i campi di Chronicle Unified Data Model (UDM). Nel documento sono elencate anche le attività controllate supportate e la versione di Microsoft 365 supportata.

Per una panoramica dell'importazione dei dati in Chronicle, vedi Importazione dei dati in Chronicle.

Panoramica

Il seguente diagramma dell'architettura di deployment mostra come sono configurati i feed Microsoft 365 e Chronicle per inviare i log a Chronicle. Il deployment di ogni cliente potrebbe differire da questa rappresentazione e potrebbe essere più complesso.

Architettura di deployment

Il diagramma dell'architettura mostra i seguenti componenti:

  • Microsoft 365 Il servizio Microsoft 365 da cui raccogli i log.

  • Feed Chronicle. Il feed Chronicle che recupera i log da Microsoft 365 e scrive i log in Chronicle.

  • Chronicle. Chronicle conserva e analizza i log di Microsoft 365.

Un'etichetta di importazione identifica l'analizzatore sintattico che normalizza i dati di log non elaborati in formato UDM strutturato. Le informazioni contenute in questo documento si applicano all'analizzatore sintattico con l'etichetta di importazione OFFICE_365.

Prima di iniziare

  • Utilizza Microsoft 365 versione 2204 Build 16.0.15128.20248 o successiva e verifica di avere un abbonamento a Microsoft 365 Enterprise E5 con funzionalità Microsoft Security and Compliance Center.

  • Concedi all'utente i privilegi e le autorizzazioni richiesti per generare ed esportare eventi diversi per tutti i prodotti Microsoft supportati. Per un esempio di autorizzazione, vedi Autorizzazioni per accedere alle API di gestione

  • Configurare Microsoft 365 per la ricerca e l'esportazione dei log. Microsoft Azure Active Directory (Azure AD) è il servizio di directory per Microsoft 365. Sono necessarie fino a 24 ore per generare i log. Per saperne di più, vedi Eseguire una ricerca nel log di controllo

  • Assicurati che tutti i sistemi nell'architettura di deployment siano configurati nel fuso orario UTC.

  • Rivedi le attività e i prodotti supportati dall'analizzatore sintattico di Chronicle. Nella tabella seguente sono elencate le attività e i prodotti supportati dall'analizzatore sintattico di Chronicle:

    Attività Prodotti
    Attività di file e pagine SharePoint Online e OneDrive for Business
    Attività cartella SharePoint Online e OneDrive for Business
    SharePoint list lists (Attività di elenco di SharePoint) SharePoint Online
    Attività di richiesta di condivisione e accesso SharePoint Online e OneDrive for Business
    Attività di sincronizzazione SharePoint Online e OneDrive for Business
    Attività relative alle autorizzazioni dei siti SharePoint Online
    Attività di amministrazione del sito SharePoint Online
    Attività della casella di posta di Exchange Caselle di posta Microsoft 365 Group
    Attività di amministrazione degli utenti Centro di amministrazione Microsoft 365
    Attività di amministrazione del gruppo Azure AD Centro di amministrazione Microsoft 365
    Attività di amministrazione delle applicazioni Quando un amministratore aggiunge o modifica un'applicazione registrata in Azure AD
    Attività di amministrazione dei ruoli Centro di amministrazione Microsoft 365
    Attività di amministrazione della directory Centro di amministrazione Microsoft 365
    Attività BI avanzate Logo Power BI
    Attività di Microsoft Teams Microsoft Teams
    Attività di Microsoft Teams Shifts Sposta l'app in Microsoft Teams
    Attività sanitarie di Microsoft Teams Applicazione per i pazienti in Microsoft Teams
    Attività di Microsoft Teams Shifts Sposta l'app in Microsoft Teams
    Attività di Yammer Martello
    Attività di Microsoft Power Automation Power Automation (precedentemente chiamato Microsoft Flow)
    Attività di Microsoft PowerApps App di potenza
    Attività di Microsoft Stream Microsoft Stream
    Mettere in quarantena le attività. Mettere in quarantena i messaggi email in Office 365
    Attività di Moduli Microsoft Microsoft Teams
    Attività etichetta di sensibilità Attività di etichettatura per SharePoint Online e Teams
    Norme relative alla conservazione e attività delle etichette di conservazione NA
    Briefing delle attività email Email sulla rassegna stampa
    Attività di MyAnalytics Analytics
    Attività di barriera dell'informazione NA
    Attività di revisione della disposizione NA
    Attività di conformità delle comunicazioni NA
    Attività non definita NA

Configurare un feed in Chronicle per importare i log di Microsoft 365

  1. Vai alle impostazioni di Chronicle e fai clic su Feed.
  2. Fai clic su Aggiungi nuovo.
  3. Seleziona API di terze parti per Tipo di origine.
  4. Seleziona Office 365 in Tipo di log.
  5. Fai clic su Next (Avanti).
  6. In base alla configurazione di Microsoft 365, specifica i dettagli di ID client OAuth, Client secret OAuth e ID tenant.
  7. Seleziona il Tipo di contenuti per cui stai creando questo feed. Devi creare un feed separato per ogni tipo di contenuto richiesto.
  8. Fai clic su Next (Avanti), quindi su Submit (Invia).

Per scoprire di più sui feed di Chronicle, consulta la documentazione relativa ai feed di Chronicle. Per informazioni sui requisiti per ogni tipo di feed, consulta la pagina Configurazione del feed per tipo.

Riferimento per la mappatura dei campi

Questa sezione spiega in che modo l'analizzatore sintattico di Chronicle mappa i campi di log di Microsoft 365 a quelli di Chronicle Unified Data Model (UDM) per le operazioni e i carichi di lavoro supportati.

Campi comuni

Nella tabella seguente sono elencati i campi log comuni e i corrispondenti campi UDM.

Common log field UDM field
ID metadata.product_log_id
RecordType

security_result.detection_fields.key/value

security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc

security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc

CreationTime metadata.event_timestamp
Operation metadata.product_event_type
OrganizationId principal.resource.product_object_id
UserType principal.user.attribute.roles.name
UserId

principal.user.email_addresses or principal.user.userid

target.user.email_addresses or target.user.userid

If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user

If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.

ClientIP principal.ip and principal.port
Workload target.application
AppAccessContext

network.session.id security_result.detection_fields.key/value

AADSessionId is mapped to network.session.id

CorrelationId is mapped to security_result.detection_fields.key/value

Per informazioni di riferimento sulle mappature UDM per le operazioni supportate, consulta le sezioni seguenti:

Accesso ai file

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Fileaccessed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileAccessedExtended

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileAccessedExtended" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File eliminato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileDelete" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File copiato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileCopy" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File modificato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileModified" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

File scaricati

La seguente tabella elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileDownload" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
UserSessionId network.http.session_id
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ZipFileName principal.resource.parent

FileModifiedExtended

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileModifiedExtended" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

File spostato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileMove" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Anteprima file

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileAnteprima" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File rinominato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileRenamed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

File caricato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileUpload" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ImplicitShare target.resource.attribute.labels.key/value

FileVersionAllAll

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllDeleted" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
WebId about.labels.key/value

FileCheckedIn

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileCheckedIn" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName workload map with intermediary.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckedOut

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileCheckedOut" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site Uniquely Identify resource in site like File or Folder
ItemType This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource principal.application
SourceName principal.labels.key/value
UserAgent Information about the user's browser. This information is provided by the browser.
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ImpostazioneConformitàCambiata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ComplianceSettingChanged" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
SharingType target.labels.key/value

Record di blocco

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "LockRecord" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Sblocca Record

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione " UnlockRecord " e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileBinFirstRecycleBin eliminato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileDeletedFirstStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileEliminatoSecondoStageRecycleBin

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileDeletedSecondStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Registrazione/eliminazione record

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "RecordDelete" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Identificazione non corrispondente del documento

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "DocumentSensitivityMismatchDetected" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Identificazione non corrispondente del documento

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "DocumentSensitivityMismatchDetected" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File CheckOut eliminato

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileCheckOutOverrideed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllMinorsRecycled" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllRecycled

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionsAllRecycled" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionRecycled

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileVersionRecycled" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File ripristinato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileRipristinad" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileMalwareRilevato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FileMalwareDetected" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
VirusInfo security_result.threat_name
VirusVendor target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Query di ricerca eseguita

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SearchQueryPerform" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventData target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Visualizzato da pagina

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PageViewed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pagina precaricata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "PagePrefetched" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientViewSignaled

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ClientViewSignaled" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

PaginaVisualizzataEstesa

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "PageViewedExtended" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Cartella creata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella eliminata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderDelete" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella spostata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FolderMove" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl field not getting in log

DestinationRelativeUrl DestinationRelativeUrl field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileName DestinationFileName field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella rinominata

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FolderRenamed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella modificata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderModified" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella copiata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderCopy" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
DestinationRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella ripristinata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FolderRipristinad" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartella eliminata prima cartella Recycle

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FolderDeletedFirstStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Cartellaeliminata seconda fase (riciclo)

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "FolderDeletedSecondStageRecycleBin" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncScaricatoCompleto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncDownloadFull" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Sincronizzazione file scaricata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncDownloadPartial" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncCaricatoCompleto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncUploadFull" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Sincronizzazione file caricata parzialmente

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "FileSyncUploadPartial" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientSync gestito consentito

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "ManagedSyncClientAllowed" e per il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Client unManagedSync bloccato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "UnmanagedSyncClientBlock" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Aggiunto al Gruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AddedToGroup" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.group.group_display_name
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Aggiunto gruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupAdded" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Gruppo rimosso

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupRemoved" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebRequestAccessModified

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "WebRequestAccessModified" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType target.resource.attribute.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

I membri del Web possono condividere le modifiche

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "WebMembersCanShareModified" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
version metadata.product_version
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Livello di autorizzazione modificato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelModified" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

version metadata.product_version
WebID about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminAggiunto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SiteCollectionAdminAdded" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Amministrazione SiteSite rimossa

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SiteCollectionAdminRemoved" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Livello di autorizzazione rimosso

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelRemoved" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

RimossoDaGruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "RemovedFromGroup" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.group.group_display_name
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Gruppo aggiornato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "GroupUpdated" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.referral_url
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Progetto controllato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "ProjectCheckedOut" e il carico di lavoro "Project":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

Accessi dal progetto

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "ProjectAccessed" e il carico di lavoro "Project":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

Condivisione Ereditarietà non funzionante

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SharedInheritanceBroken" e il carico di lavoro "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AddedToSecureLink" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId target.labels.key/value
Version metadata.product_version
WebId about.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ApplicationDisplayName target.application

Link dell'azienda creato

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "CompanyLinkCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
ApplicationDisplayName target.application

Collegamento azienda utilizzato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CompanyLinkUsed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

SecureLinkCreated

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SecureLinkCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value

Invito alla condivisione creato

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SharedInviteCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkEliminato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SecureLinkDeleted" e per il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "RemovedFromSecureLink" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

Invito alla condivisione revocato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "CondivisioneInvitoRevocato" e per il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

Link sicuro aggiornato

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "SecureLinkUpdated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkUsed

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SecureLinkUsed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Condivisione revocata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneRevocata" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Set di condivisione

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "SharedSet" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Livello di autorizzazioni aggiunto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "PermissionLevelAdded" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

Invito alla condivisione accettato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "SharedInviteAccepted" e per il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.name

Added to Group is mapped to target.resource.name

Invito alla condivisione bloccato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneInvitoBloccato" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData security_result.summary

Reason is mapped to security_result.summary

Richiesta di accesso creata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

Link creato anonimo

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "AnaLinkLinkCreated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value

Richiesta di accesso aggiornata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestUpdated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

ModifiedProperties target.labels.key/value

Link dell'azienda rimosso

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "CompanyLinkRemoved" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

Richiesta di accesso approvata

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AccessRequestApprovate" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
EventData target.resource.name

Extract using grok

grok {

match is mapped to {

EventData <Added to group>{target_resource_name}.*

}

}

TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

Rimosso link anonimo

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AnaLinkLinkRemoved" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value
SourceFileExtension target.file.mime_type
UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
MachineId target.asset.product_object_id

Link anonimo aggiornato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "AnaLinkLinkUpdated" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

Invito alla condivisione aggiornato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "CondivisioneInvitoAggiornato" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
ApplicationDisplayName target.application
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ModifiedProperties target.labels.key/value
event_type is mapped to USER_RESOURCE_ACCESS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Link anonimo utilizzato

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "AnaLinkLinkUsed" e il carico di lavoro "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ResultStatus is Success

Action is set to ALLOW

security_result.summary is set to Group creation successful

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is set to Group creation failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi gruppo

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi gruppo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set toGroup membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi membro al gruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi membro al gruppo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else map about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi utente

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi utente" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Cambia la licenza utente.

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Cambia licenza utente" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Cambiare la password utente

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Cambia password utente" e per il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group deletion successful

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group deletion failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Elimina gruppo

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina gruppo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Rimuovi membro dal gruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi membro dal gruppo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

if status is Success then

action ALLOW

security_result.summary User deleted successfully

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Elimina utente

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Eliminazione utente" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success

Action is set to ALLOW

security_result.summary is User updated successfully

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is User update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiorna utente

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update user" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiornamento gruppo

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update group" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

If ResultStatus is Succeeded or ResultStatus is Success

security_result.action is ALLOW

security_result.summary is User login successful

else if ResultStatus is Failed or LogonError !is

security_result.action is BLOCK

security_result.summary is User login failed

security_result.description is {LogonError}

UserId is mapped to target.user.userid or target.user.email_addresses

metadata.description is User Login - {Workload}

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is match to Windows then principal.platform is WINDOWS

If Value is match to Mac then principal_plateform is MAC

if Value is match to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

Accesso eseguito dall'utente

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "UserLoggedIn" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

security_result.Action is set to BLOCK

security_result.summary is User login failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE

If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE

If Name is UserAgent then Value is mapped to network.http.user_agent

If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type

If Name is requestType then Based on Value it will map with extensions.auth.type

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is matched to Windows then principal.platform is WINDOWS

If Value is matched to Mac then principal_plateform is MAC

if Value is matched to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

Accesso utente non riuscito

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "UserLoginFailed" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiorna StsRefreshTokenValidFrom Timestamp

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Update StsRefreshTokenValidFrom Timestamp" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summary

If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiorna dispositivo

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Update device" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Configura le impostazioni di federazione sul dominio

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Set Federation settings on domain" (Imposta impostazioni di federazione sul dominio) e per il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Verifica dominio

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Verifica dominio" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Imposta le informazioni sulla società

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Set Company Information" (Imposta informazioni aziendali) e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Reimposta password utente

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Reimposta password utente" e per il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.description

security_result.summary

target.labels.key/value

If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue}

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Disabilita account

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Disabilita account" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Elimina la password dell'applicazione per l'utente

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina la password dell'applicazione per l'utente" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Elimina dispositivo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Elimina dispositivo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi utenti registrati al dispositivo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi utenti registrati al dispositivo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi proprietario registrato al dispositivo

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Aggiungi proprietario registrato al dispositivo" e carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi proprietario al gruppo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi proprietario al gruppo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi OAuth2PermissionGrant

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Add OAuth2PermissionGrant" e per il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi dispositivo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi dispositivo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi concessione assegnazione ruolo app all'utente

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi concessione assegnazione app a utente" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSION

Workload is mapped to intermediary.application

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.application

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetName then Value is mapped to target.application

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.user.userid or target.user.email_addresses

If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "Consenso all'applicazione" e carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiorna entità servizio

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Update entità entità" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi entità di servizio

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi entità servizio" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Rimuovi entità di servizio

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi entità servizio" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Aggiungi membro al ruolo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi membro al ruolo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Added a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Added a user to an admin role failed

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.user.attribute.roles.name

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Rimuovi membro dal ruolo

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Rimuovi membro dal ruolo" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is Removed a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is Removed a user to an admin role failed

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.user.attribute.roles.name

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

Aggiungi etichetta

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Aggiungi etichetta" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is set to target.resource.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

Crea società

La tabella seguente elenca i campi di log e le mappature UDM corrispondenti per l'operazione "Crea società" e il carico di lavoro "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

ObjectId is set to target.resource.product_object_id

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.labels.key/value
TeamName target.group.group_display_name
Version metadata.product_version

Sessione team avviata

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "TeamsSessionStarted" e il carico di lavoro "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

Pianifica un gruppo aggiunto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ScheduleGroupAdded" e per il carico di lavoro "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ProgrammaGroupEdited

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "ScheduleGroupEdited" e il carico di lavoro "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

Pianifica un gruppo eliminato

Nella tabella seguente sono elencati i campi di log e le corrispondenti mappature UDM per l'operazione "ScheduleGroupDeleted" e per il carico di lavoro "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

Maiuscolo aggiunto

Nella tabella seguente sono elencati i campi di log e le mappature UDM corrispondenti per l'operazione "MaiuscAggiunto" e il carico di lavoro "MicrosoftTeams":

Log field UDM mapping