Microsoft 365 ログを収集する

このドキュメントでは、Chronicle のフィードを設定して Microsoft 365 ログを収集する方法と、ログフィールドを Chronicle Unified Data Model（UDM）フィールドにマッピングする方法について説明します。また、サポートされている監査対象アクティビティとサポートされている Microsoft 365 バージョンについても説明します。

Chronicle へのデータの取り込みの概要については、Chronicle へのデータの取り込みをご覧ください。

概要

次のデプロイアーキテクチャ図は、Chronicle にログを送信するように Microsoft 365 と Chronicle のフィードを構成する方法を示しています。お客様のデプロイはそれぞれこの表現とは異なる可能性があり、より複雑になることがあります。

デプロイアーキテクチャ

アーキテクチャ図には、次のコンポーネントが示されています。

Microsoft 365。ログを収集する Microsoft 365 サービス。
Chronicle のフィード。Microsoft 365 からログを取得し、ログを Chronicle に書き込む Chronicle フィード。
Chronicle。Chronicle は、Microsoft 365 のログを保持し、分析します。

取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル OFFICE_365 が付加されたパーサーに適用されます。

始める前に

Microsoft 365 バージョン 2204 Build 16.0.15128.20248 以降を使用し、Microsoft セキュリティとコンプライアンスセンター機能を含む Microsoft 365 Enterprise E5 のサブスクリプションがあることを確認します。
サポートされているすべての Microsoft 製品に対して異なるイベントを生成してエクスポートするために、必要な権限と権限をユーザーに付与します。権限の例については、管理 API へのアクセス権限をご覧ください。
ログの検索とエクスポートを行うように Microsoft 365 を構成します。Microsoft Azure Active Directory（Azure AD）は Microsoft 365 のディレクトリサービスです。ログの生成には最大 24 時間かかります。詳細については、監査ログを検索するをご覧ください。
デプロイアーキテクチャ内のすべてのシステムが、UTC タイムゾーンに構成されていることを確認します。

Chronicle パーサーがサポートするアクティビティとプロダクトを確認します。次の表に、Chronicle パーサーがサポートするアクティビティとプロダクトを示します。

アクティビティ	プロダクト
ファイルとページのアクティビティ	SharePoint Online と OneDrive for Business
フォルダアクティビティ	SharePoint Online と OneDrive for Business
SharePoint リストアクティビティ	SharePoint Online
共有とリクエストアクティビティ	SharePoint Online と OneDrive for Business
同期アクティビティ	SharePoint Online と OneDrive for Business
サイト権限のアクティビティ	SharePoint Online
サイト管理作業	SharePoint Online
Exchange メールボックスのアクティビティ	Microsoft 365 グループのメールボックス
ユーザー管理アクティビティ	Microsoft 365 管理センター
Azure AD グループ管理アクティビティ	Microsoft 365 管理センター
アプリケーション管理作業	管理者が Azure AD に登録されるアプリケーションを追加または変更する場合
ロール管理アクティビティ	Microsoft 365 管理センター
ディレクトリ管理作業	Microsoft 365 管理センター
Power BI アクティビティ	Power BI
Microsoft Teams のアクティビティ	Microsoft Teams
Microsoft Teams Shifts のアクティビティ	Microsoft Teams の Shifts アプリ
Microsoft Teams Healthcare のアクティビティ	Microsoft Teams の Patients アプリケーション
Microsoft Teams Shifts のアクティビティ	Microsoft Teams の Shifts アプリ
Yammer のアクティビティ	Yammer
Microsoft Power Automate のアクティビティ	Power Automate（旧称 Microsoft Flow）
Microsoft PowerApps のアクティビティ	Power Apps
Microsoft Stream のアクティビティ	Microsoft Stream
検疫アクティビティ	Office 365 でメールを検疫する
Microsoft Forms のアクティビティ	Microsoft Teams
感度ラベルのアクティビティ	SharePoint Online と Teams のラベル付けアクティビティ
保持ポリシーと保持ラベルのアクティビティ	該当なし
メールアクティビティの概要	概要説明メール
MyAnalytics のアクティビティ	MyAnalytics
情報の障壁のアクティビティ	該当なし
処理の確認のアクティビティ	該当なし
コミュニケーションのコンプライアンスアクティビティ	該当なし
未定義のアクティビティ	該当なし

Microsoft 365 ログを取り込むように Chronicle のフィードを構成する

Chronicle の設定に移動し、[フィード] をクリックします。
[Add New] をクリックします。
[ソースタイプ] で [サードパーティ API] を選択します。
[ログタイプ] で [Office 365] を選択します。
[Next] をクリックします。
Microsoft 365 の構成に基づいて、[OAuth クライアント ID]、[OAuth クライアントシークレット]、[テナント ID] の詳細を指定します。
このフィードを作成するコンテンツタイプを選択します。必要なコンテンツタイプごとに個別のフィードを作成する必要があります。
[次へ]、[送信] の順にクリックします。

Chronicle フィードの詳細については、Chronicle フィードのドキュメントをご覧ください。

フィールドマッピングリファレンス

このセクションでは、Chronicle パーサーが、サポートされているオペレーションやワークロードの Chronicle Unified Data Model（UDM）フィールドに Microsoft 365 ログフィールドをマッピングする方法について説明します。

共通フィールド

次の表に、一般的なログフィールドと対応する UDM フィールドを示します。

Common log field	UDM field
ID	metadata.product_log_id
RecordType	security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc
CreationTime	metadata.event_timestamp
Operation	metadata.product_event_type
OrganizationId	principal.resource.product_object_id
UserType	principal.user.attribute.roles.name
UserId	principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.
ClientIP	principal.ip and principal.port
Workload	target.application
AppAccessContext	network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value

サポートされているオペレーションの UDM マッピングについては、次のセクションをご覧ください。

FileAccessed

次の表に、オペレーション「Fileaccessed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileAccessedExtended

次の表に、オペレーション「FileAccessedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeleted

次の表に、オペレーション「FileDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCopied

次の表に、オペレーション「FileCopied」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileModified

次の表に、オペレーション「FileModified」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileDownloaded

次の表に、オペレーション「FileDownloaded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
UserSessionId	network.http.session_id
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ZipFileName	principal.resource.parent

FileModifiedExtended

次の表に、オペレーション「FileModifiedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileMoved

次の表に、オペレーション「FileMoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FilePreviewed

次の表に、オペレーション「FilePreviewed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileRenamed

次の表に、オペレーション「FileRenamed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileUploaded

次の表に、オペレーション「Fileuploaded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ImplicitShare	target.resource.attribute.labels.key/value

FileVersionsAllDeleted

次の表に、オペレーション「FileVersionsAllDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
WebId	about.labels.key/value

FileCheckedIn

次の表に、オペレーション「FileCheckedIn」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	workload map with intermediary.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCheckedOut

次の表に、オペレーション「FileCheckedOut」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	Uniquely Identify resource in site like File or Folder
ItemType	This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	Information about the user's browser. This information is provided by the browser.
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ComplianceSettingChanged

次の表に、オペレーション「ComplianceSettingChanged」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
SharingType	target.labels.key/value

LockRecord

次の表に、オペレーション「LockRecord」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

UnlockRecord

次の表に、オペレーション「UnlockRecord」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeletedFirstStageRecycleBin

次の表に、オペレーション「FileDeletedFirstStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeletedSecondStageRecycleBin

次の表に、オペレーション「FileDeletedSecondStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

RecordDelete

次の表に、オペレーション「RecordDelete」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

次の表に、オペレーション「DocumentSensitivityMismatchDetected」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCheckOutDiscarded

次のテーブルに、オペレーション「FileCheckOutRedised」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

次の表に、オペレーション「FileVersionsAllMinorsRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionsAllRecycled

次の表に、オペレーション「FileVersionsAllRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionRecycled

次の表に、オペレーション「FileVersionRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileRestored

次の表に、オペレーション「FileRestored」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileMalwareDetected

次の表に、オペレーション「FileMalwareDetected」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
VirusInfo	security_result.threat_name
VirusVendor	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

SearchQueryPerformed

次の表に、オペレーション「SearchQueryPerformed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventData	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

PageViewed

次の表に、オペレーション「PageViewed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

PagePrefetched

次の表に、オペレーション「PagePrefetched」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ClientViewSignaled

次の表に、オペレーション「ClientViewSignaled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

PageViewedExtended

次の表に、オペレーション「PageViewedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

FolderCreated

次の表に、オペレーション「FolderCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeleted

次の表に、オペレーション「FolderDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderMoved

次の表に、オペレーション「FolderMoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} SourceRelativeUrl field not getting in log
DestinationRelativeUrl	DestinationRelativeUrl field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	DestinationFileName field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderRenamed

次の表に、オペレーション「FolderRenamed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderModified

次の表に、オペレーション「FolderModified」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderCopied

次の表に、オペレーション「FolderCopied」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path
SourceRelativeUrl	src.file.full_path
DestinationRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderRestored

次の表に、オペレーション「FolderRestored」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeletedFirstStageRecycleBin

次の表に、オペレーション「FolderDeletedFirstStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeletedSecondStageRecycleBin

次の表に、オペレーション「FolderDeletedSecondStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncDownloadedFull

次の表に、オペレーション「FileSyncDownloadedFull」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncDownloadedPartial

次のテーブルに、オペレーション「FileSyncDownloadedPart」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedFull

次の表に、オペレーション「FileSyncuploadedFull」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedPartial

次の表は、ログオペレーションと、オペレーション「FileSyncUploadedPartial」とワークロード「SharePoint/OneDrive」に対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ManagedSyncClientAllowed

次の表に、オペレーション「ManagedSyncClientAllowed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_WRITTEN
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

次の表に、オペレーション「UnmanagedSyncClientBlocked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

AddedToGroup

次の表に、オペレーション「AddedToGroup」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.group.group_display_name
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupAdded

次の表に、オペレーション「GroupAdded」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupRemoved

次の表に、オペレーション「GroupRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebRequestAccessModified

次の表は、オペレーション「WebRequestAccessModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebMembersCanShareModified

次の表に、オペレーション「WebMembersCanShareModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
version	metadata.product_version
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

PermissionLevelModified

次の表に、オペレーション「PermissionLevelModified」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name
version	metadata.product_version
WebID	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

SiteCollectionAdminAdded

次の表は、オペレーション「SiteCollectionAdminAdded」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

SiteCollectionAdminRemoved

次の表は、オペレーション「SiteCollectionAdminRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

PermissionLevelRemoved

次の表に、オペレーション「PermissionLevelRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

RemovedFromGroup

次の表は、オペレーション「RemovedFromGroup」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.group.group_display_name
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupUpdated

次の表に、オペレーション「GroupUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.referral_url
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

ProjectCheckedOut

次の表に、オペレーション「ProjectCheckedOut」とワークロード「Project」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

ProjectAccessed

次の表に、オペレーション「ProjectAccessed」とワークロード「Project」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

SharingInheritanceBroken

次の表は、オペレーション「SharedPreemptibleanceBroken」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application

AddToSecureLink

次の表に、オペレーション「AddedToSecureLink」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId	target.labels.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ApplicationDisplayName	target.application

CompanyLinkCreated

次の表に、オペレーション「CompanyLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
ApplicationDisplayName	target.application

CompanyLinkUsed

次のテーブルに、オペレーション「CompanyLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SecureLinkCreated

次の表は、オペレーション「SecureLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value

SharingInvitationCreated

次の表に、オペレーション「SharingInvitationCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkDeleted

次の表に、オペレーション「SecureLinkDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application

RemoveFromSecureLink

次の表に、オペレーション「RemovedFromSecureLink」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

SharingInvitationRevoked

次の表に、オペレーション「SharingInvitationRevoked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkUpdated

次の表は、オペレーション「SecureLinkUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkUsed

次の表に、オペレーション「SecureLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SharingRevoked

次の表に、オペレーション「SharedRevoked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SharingSet

次の表に、オペレーション「SharingSet」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

次の表に、オペレーション「PermissionLevelAdded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

次の表に、オペレーション「共SharingInvitationAccepted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.name Added to Group is mapped to target.resource.name

SharingInvitationBlocked

次の表に、オペレーション「SharingInvitationBlocked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	security_result.summary Reason is mapped to security_result.summary

AccessRequestCreated

次の表に、オペレーション「AccessRequestCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

次の表に、オペレーション「AnonymousLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value

AccessRequestUpdated

次の表に、オペレーション「AccessRequestUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
ModifiedProperties	target.labels.key/value

CompanyLinkRemoved

次の表に、オペレーション「CompanyLinkRemoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value

AccessRequestAuthorized

次の表に、オペレーション「AccessRequestApproved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
EventData	target.resource.name Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } }
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

AnonymousLinkRemoved

次の表に、オペレーション「AnonymousLinkRemoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value
SourceFileExtension	target.file.mime_type
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
MachineId	target.asset.product_object_id

AnonymousLinkUpdated

次の表に、オペレーション「AnonymousLinkUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

次の表に、オペレーション「SharingInvitationUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ModifiedProperties	target.labels.key/value
	event_type is mapped to USER_RESOURCE_ACCESS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

AnonymousLinkUsed

次の表に、オペレーション「AnonymousLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループの追加

次の表に、オペレーション「グループを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループにメンバーを追加

次の表に、オペレーション「グループにメンバーを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else map about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーを追加

次の表に、オペレーション「ユーザーを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

ユーザーのライセンスを変更します。

次の表に、オペレーション「ユーザーのライセンスを変更します。」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーパスワードの変更

次の表に、オペレーション「ユーザーパスワードの変更」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループを削除

次の表に、オペレーション「グループを削除」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループからメンバーを削除する

次の表に、オペレーション「グループからメンバーを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION if status is Success then action ALLOW security_result.summary User deleted successfully
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーを削除

次の表に、オペレーション「ユーザーを削除」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success Action is set to ALLOW security_result.summary is User updated successfully ResultStatus is Failure Action is set to BLOCK security_result.summary is User update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーの更新

次の表に、オペレーション「ユーザーを更新」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループの更新

次の表に、オペレーション「グループを更新」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload}
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description

UserLoggedIn

次の表に、オペレーション「UserLoggedIn」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN security_result.Action is set to BLOCK security_result.summary is User login failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

次の表に、オペレーション「UserLoginFailed」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Update StsRefreshTokenValidFrom Timestamp

次の表に、オペレーション「Update StsRefreshTokenValidFrom Timestamp」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイス

次の表に、オペレーション「デバイスの更新」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ドメインで連携を設定する

次の表に、オペレーション「ドメインで連携を設定する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

ドメインの所有権を証明

次の表に、オペレーション「ドメインの確認」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

会社情報を設定する

次の表に、オペレーション「会社情報を設定する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーパスワードを再設定

次の表に、オペレーション「ユーザーパスワードを再設定」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.description security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

アカウントを無効にする

次の表に、オペレーション「アカウントを無効にする」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーのアプリケーションパスワードを削除する

次の表に、オペレーション「ユーザーのアプリケーションパスワードを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイスを削除

次の表に、オペレーション「デバイスを削除」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

登録ユーザーをデバイスに追加する

次の表に、オペレーション「登録ユーザーをデバイスに追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイスに登録済みの所有者を追加する

次の表に、オペレーション「デバイスに登録済みの所有者を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループにオーナーを追加する

次の表に、オペレーション「グループにオーナーを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value

Microsoft 365 ログを収集する

概要

始める前に

Microsoft 365 ログを取り込むように Chronicle のフィードを構成する

フィールド マッピング リファレンス

共通フィールド

FileAccessed

FileAccessedExtended

FileDeleted

FileCopied

FileModified

FileDownloaded

FileModifiedExtended

FileMoved

FilePreviewed

FileRenamed

FileUploaded

FileVersionsAllDeleted

FileCheckedIn

FileCheckedOut

ComplianceSettingChanged

LockRecord

UnlockRecord

FileDeletedFirstStageRecycleBin

FileDeletedSecondStageRecycleBin

RecordDelete

DocumentSensitivityMismatchDetected

DocumentSensitivityMismatchDetected

FileCheckOutDiscarded

FileVersionsAllMinorsRecycled

FileVersionsAllRecycled

FileVersionRecycled

FileRestored

FileMalwareDetected

SearchQueryPerformed

PageViewed

PagePrefetched

ClientViewSignaled

PageViewedExtended

FolderCreated

FolderDeleted

FolderMoved

FolderRenamed

FolderModified

FolderCopied

FolderRestored

FolderDeletedFirstStageRecycleBin

FolderDeletedSecondStageRecycleBin

FileSyncDownloadedFull

FileSyncDownloadedPartial

FileSyncUploadedFull

FileSyncUploadedPartial

ManagedSyncClientAllowed

UnmanagedSyncClientBlocked

AddedToGroup

GroupAdded

GroupRemoved

WebRequestAccessModified

WebMembersCanShareModified

PermissionLevelModified

SiteCollectionAdminAdded

SiteCollectionAdminRemoved

PermissionLevelRemoved

RemovedFromGroup

GroupUpdated

ProjectCheckedOut

ProjectAccessed

SharingInheritanceBroken

AddToSecureLink

CompanyLinkCreated

CompanyLinkUsed

SecureLinkCreated

SharingInvitationCreated

SecureLinkDeleted

RemoveFromSecureLink

SharingInvitationRevoked

SecureLinkUpdated

SecureLinkUsed

SharingRevoked

SharingSet

フィールドマッピングリファレンス

ユーザーパスワードの変更

ユーザーパスワードを再設定

ユーザーのアプリケーションパスワードを削除する