Microsoft 365 ログを収集する

このドキュメントでは、Chronicle のフィードを設定して Microsoft 365 ログを収集する方法と、ログフィールドを Chronicle Unified Data Model（UDM）フィールドにマッピングする方法について説明します。また、サポートされている監査対象アクティビティとサポートされている Microsoft 365 バージョンについても説明します。

Chronicle へのデータの取り込みの概要については、Chronicle へのデータの取り込みをご覧ください。

概要

次のデプロイアーキテクチャ図は、Chronicle にログを送信するように Microsoft 365 と Chronicle のフィードを構成する方法を示しています。お客様のデプロイはそれぞれこの表現とは異なる可能性があり、より複雑になることがあります。

デプロイアーキテクチャ

アーキテクチャ図には、次のコンポーネントが示されています。

Microsoft 365。ログを収集する Microsoft 365 サービス。
Chronicle のフィード。Microsoft 365 からログを取得し、ログを Chronicle に書き込む Chronicle フィード。
Chronicle。Chronicle は、Microsoft 365 のログを保持し、分析します。

取り込みラベルによって、未加工のログデータを構造化 UDM 形式に正規化するパーサーが識別されます。このドキュメントの情報は、取り込みラベル OFFICE_365 が付加されたパーサーに適用されます。

始める前に

Microsoft 365 バージョン 2204 Build 16.0.15128.20248 以降を使用し、Microsoft セキュリティとコンプライアンスセンター機能を含む Microsoft 365 Enterprise E5 のサブスクリプションがあることを確認します。
サポートされているすべての Microsoft 製品に対して異なるイベントを生成してエクスポートするために、必要な権限と権限をユーザーに付与します。権限の例については、管理 API へのアクセス権限をご覧ください。
ログの検索とエクスポートを行うように Microsoft 365 を構成します。Microsoft Azure Active Directory（Azure AD）は Microsoft 365 のディレクトリサービスです。ログの生成には最大 24 時間かかります。詳細については、監査ログを検索するをご覧ください。
デプロイアーキテクチャ内のすべてのシステムが、UTC タイムゾーンに構成されていることを確認します。

Chronicle パーサーがサポートするアクティビティとプロダクトを確認します。次の表に、Chronicle パーサーがサポートするアクティビティとプロダクトを示します。

アクティビティ	プロダクト
ファイルとページのアクティビティ	SharePoint Online と OneDrive for Business
フォルダアクティビティ	SharePoint Online と OneDrive for Business
SharePoint リストアクティビティ	SharePoint Online
共有とリクエストアクティビティ	SharePoint Online と OneDrive for Business
同期アクティビティ	SharePoint Online と OneDrive for Business
サイト権限のアクティビティ	SharePoint Online
サイト管理作業	SharePoint Online
Exchange メールボックスのアクティビティ	Microsoft 365 グループのメールボックス
ユーザー管理アクティビティ	Microsoft 365 管理センター
Azure AD グループ管理アクティビティ	Microsoft 365 管理センター
アプリケーション管理作業	管理者が Azure AD に登録されるアプリケーションを追加または変更する場合
ロール管理アクティビティ	Microsoft 365 管理センター
ディレクトリ管理作業	Microsoft 365 管理センター
Power BI アクティビティ	Power BI
Microsoft Teams のアクティビティ	Microsoft Teams
Microsoft Teams Shifts のアクティビティ	Microsoft Teams の Shifts アプリ
Microsoft Teams Healthcare のアクティビティ	Microsoft Teams の Patients アプリケーション
Microsoft Teams Shifts のアクティビティ	Microsoft Teams の Shifts アプリ
Yammer のアクティビティ	Yammer
Microsoft Power Automate のアクティビティ	Power Automate（旧称 Microsoft Flow）
Microsoft PowerApps のアクティビティ	Power Apps
Microsoft Stream のアクティビティ	Microsoft Stream
検疫アクティビティ	Office 365 でメールを検疫する
Microsoft Forms のアクティビティ	Microsoft Teams
感度ラベルのアクティビティ	SharePoint Online と Teams のラベル付けアクティビティ
保持ポリシーと保持ラベルのアクティビティ	該当なし
メールアクティビティの概要	概要説明メール
MyAnalytics のアクティビティ	MyAnalytics
情報の障壁のアクティビティ	該当なし
処理の確認のアクティビティ	該当なし
コミュニケーションのコンプライアンスアクティビティ	該当なし
未定義のアクティビティ	該当なし

Microsoft 365 ログを取り込むように Chronicle のフィードを構成する

Chronicle の設定に移動して、[フィード] をクリックします。
[Add New] をクリックします。
[ソースタイプ] で [サードパーティ API] を選択します。
[Log Type] で [Office 365] を選択します。
[Next（次へ）] をクリックします。
Microsoft 365 の構成に基づいて、[OAuth クライアント ID]、[OAuth クライアントシークレット]、[テナント ID] の詳細を指定します。
このフィードを作成するコンテンツタイプを選択します。必要なコンテンツタイプごとに個別のフィードを作成する必要があります。
[次へ]、[送信] の順にクリックします。

Chronicle フィードの詳細については、Chronicle フィードのドキュメントをご覧ください。

フィールドマッピングリファレンス

このセクションでは、Chronicle パーサーが、サポートされているオペレーションやワークロードの Chronicle Unified Data Model（UDM）フィールドに Microsoft 365 ログフィールドをマッピングする方法について説明します。

共通フィールド

次の表に、一般的なログフィールドと対応する UDM フィールドを示します。

Common log field	UDM field
ID	metadata.product_log_id
RecordType	security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc
CreationTime	metadata.event_timestamp
Operation	metadata.product_event_type
OrganizationId	principal.resource.product_object_id
UserType	principal.user.attribute.roles.name
UserId	principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.
ClientIP	principal.ip and principal.port
Workload	target.application
AppAccessContext	network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value

サポートされているオペレーションの UDM マッピングについては、次のセクションをご覧ください。

FileAccessed

次の表に、オペレーション「Fileaccessed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileAccessedExtended

次の表に、オペレーション「FileAccessedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeleted

次の表に、オペレーション「FileDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCopied

次の表に、オペレーション「FileCopied」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileModified

次の表に、オペレーション「FileModified」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileDownloaded

次の表に、オペレーション「FileDownloaded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
UserSessionId	network.http.session_id
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ZipFileName	principal.resource.parent

FileModifiedExtended

次の表に、オペレーション「FileModifiedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MODIFICATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileMoved

次の表に、オペレーション「FileMoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FilePreviewed

次の表に、オペレーション「FilePreviewed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileRenamed

次の表に、オペレーション「FileRenamed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileUploaded

次の表に、オペレーション「Fileuploaded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
ImplicitShare	target.resource.attribute.labels.key/value

FileVersionsAllDeleted

次の表に、オペレーション「FileVersionsAllDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
WebId	about.labels.key/value

FileCheckedIn

次の表に、オペレーション「FileCheckedIn」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	workload map with intermediary.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCheckedOut

次の表に、オペレーション「FileCheckedOut」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	Uniquely Identify resource in site like File or Folder
ItemType	This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	Information about the user's browser. This information is provided by the browser.
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ComplianceSettingChanged

次の表に、オペレーション「ComplianceSettingChanged」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
SharingType	target.labels.key/value

LockRecord

次の表に、オペレーション「LockRecord」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

UnlockRecord

次の表に、オペレーション「UnlockRecord」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeletedFirstStageRecycleBin

次の表に、オペレーション「FileDeletedFirstStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileDeletedSecondStageRecycleBin

次の表に、オペレーション「FileDeletedSecondStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

RecordDelete

次の表に、オペレーション「RecordDelete」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

次の表に、オペレーション「DocumentSensitivityMismatchDetected」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileCheckOutDiscarded

次のテーブルに、オペレーション「FileCheckOutRedised」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

次の表に、オペレーション「FileVersionsAllMinorsRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionsAllRecycled

次の表に、オペレーション「FileVersionsAllRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileVersionRecycled

次の表に、オペレーション「FileVersionRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileRestored

次の表に、オペレーション「FileRestored」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SharingType	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileMalwareDetected

次の表に、オペレーション「FileMalwareDetected」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
VirusInfo	security_result.threat_name
VirusVendor	target.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

SearchQueryPerformed

次の表に、オペレーション「SearchQueryPerformed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventData	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

PageViewed

次の表に、オペレーション「PageViewed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

PagePrefetched

次の表に、オペレーション「PagePrefetched」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ClientViewSignaled

次の表に、オペレーション「ClientViewSignaled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

PageViewedExtended

次の表に、オペレーション「PageViewedExtended」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

FolderCreated

次の表に、オペレーション「FolderCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeleted

次の表に、オペレーション「FolderDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderMoved

次の表に、オペレーション「FolderMoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE target.resource.resource_type is set to STORAGE_OBJECT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} SourceRelativeUrl field not getting in log
DestinationRelativeUrl	DestinationRelativeUrl field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	DestinationFileName field not getting in log target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	src.file.full_path target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderRenamed

次の表に、オペレーション「FolderRenamed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderModified

次の表に、オペレーション「FolderModified」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderCopied

次の表に、オペレーション「FolderCopied」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_COPY target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path
SourceRelativeUrl	src.file.full_path
DestinationRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderRestored

次の表に、オペレーション「FolderRestored」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeletedFirstStageRecycleBin

次の表に、オペレーション「FolderDeletedFirstStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FolderDeletedSecondStageRecycleBin

次の表に、オペレーション「FolderDeletedSecondStageRecycleBin」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncDownloadedFull

次の表に、オペレーション「FileSyncDownloadedFull」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncDownloadedPartial

次のテーブルに、オペレーション「FileSyncDownloadedPart」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to src.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	src.file.size
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedFull

次の表に、オペレーション「FileSyncuploadedFull」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

FileSyncUploadedPartial

次の表は、ログオペレーションと、オペレーション「FileSyncUploadedPartial」とワークロード「SharePoint/OneDrive」に対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
FileSyncBytesCommitted	target.file.size
ImplicitShare	target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

ManagedSyncClientAllowed

次の表に、オペレーション「ManagedSyncClientAllowed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_WRITTEN
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

次の表に、オペレーション「UnmanagedSyncClientBlocked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

AddedToGroup

次の表に、オペレーション「AddedToGroup」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.group.group_display_name
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupAdded

次の表に、オペレーション「GroupAdded」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
Site	target.labels.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupRemoved

次の表に、オペレーション「GroupRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebRequestAccessModified

次の表は、オペレーション「WebRequestAccessModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

WebMembersCanShareModified

次の表に、オペレーション「WebMembersCanShareModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
version	metadata.product_version
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

PermissionLevelModified

次の表に、オペレーション「PermissionLevelModified」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name
version	metadata.product_version
WebID	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

SiteCollectionAdminAdded

次の表は、オペレーション「SiteCollectionAdminAdded」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

SiteCollectionAdminRemoved

次の表は、オペレーション「SiteCollectionAdminRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
ModifiedProperties	If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId	about.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

PermissionLevelRemoved

次の表に、オペレーション「PermissionLevelRemoved」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

RemovedFromGroup

次の表は、オペレーション「RemovedFromGroup」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.group.group_display_name
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

GroupUpdated

次の表に、オペレーション「GroupUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.referral_url
ModifiedProperties	if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

ProjectCheckedOut

次の表に、オペレーション「ProjectCheckedOut」とワークロード「Project」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

ProjectAccessed

次の表に、オペレーション「ProjectAccessed」とワークロード「Project」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

SharingInheritanceBroken

次の表は、オペレーション「SharedPreemptibleanceBroken」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ApplicationDisplayName	target.application

AddToSecureLink

次の表に、オペレーション「AddedToSecureLink」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId	target.labels.key/value
Version	metadata.product_version
WebId	about.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ApplicationDisplayName	target.application

CompanyLinkCreated

次の表に、オペレーション「CompanyLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
ApplicationDisplayName	target.application

CompanyLinkUsed

次のテーブルに、オペレーション「CompanyLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SecureLinkCreated

次の表は、オペレーション「SecureLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value

SharingInvitationCreated

次の表に、オペレーション「SharingInvitationCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkDeleted

次の表に、オペレーション「SecureLinkDeleted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application

RemoveFromSecureLink

次の表に、オペレーション「RemovedFromSecureLink」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

SharingInvitationRevoked

次の表に、オペレーション「SharingInvitationRevoked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path
SourceRelativeUrl	target.file.full_path
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkUpdated

次の表は、オペレーション「SecureLinkUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value

SecureLinkUsed

次の表に、オペレーション「SecureLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
UniqueSharingId	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SharingRevoked

次の表に、オペレーション「SharedRevoked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

SharingSet

次の表に、オペレーション「SharingSet」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_SYNC ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

次の表に、オペレーション「PermissionLevelAdded」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.permissions.name BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

次の表に、オペレーション「共SharingInvitationAccepted」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.name Added to Group is mapped to target.resource.name

SharingInvitationBlocked

次の表に、オペレーション「SharingInvitationBlocked」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	security_result.summary Reason is mapped to security_result.summary

AccessRequestCreated

次の表に、オペレーション「AccessRequestCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
EventData	target.resource.attribute.labels.key/value Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

次の表に、オペレーション「AnonymousLinkCreated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value
UniqueSharingId	target.labels.key/value

AccessRequestUpdated

次の表に、オペレーション「AccessRequestUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
ModifiedProperties	target.labels.key/value

CompanyLinkRemoved

次の表に、オペレーション「CompanyLinkRemoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value

AccessRequestAuthorized

次の表に、オペレーション「AccessRequestApproved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
WebId	about.labels.key/value
EventData	target.resource.name Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } }
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id

AnonymousLinkRemoved

次の表に、オペレーション「AnonymousLinkRemoved」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value
SourceFileExtension	target.file.mime_type
UniqueSharingId	target.labels.key/value
SiteUrl	network.http.referral_url Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
MachineId	target.asset.product_object_id

AnonymousLinkUpdated

次の表に、オペレーション「AnonymousLinkUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
ApplicationDisplayName	target.application
WebId	about.labels.key/value
UniqueSharingId	target.labels.key/value
EventData	target.resource.attribute.labels.key/value Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

次の表に、オペレーション「SharingInvitationUpdated」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
ApplicationDisplayName	target.application
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value
ModifiedProperties	target.labels.key/value
	event_type is mapped to USER_RESOURCE_ACCESS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
TargetUserOrGroupName	target.group.group_display_name target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
SourceFileName	target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl	target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName	target.application
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
WebId	about.labels.key/value

AnonymousLinkUsed

次の表に、オペレーション「AnonymousLinkUsed」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループの追加

次の表に、オペレーション「グループを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループにメンバーを追加

次の表に、オペレーション「グループにメンバーを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_CREATION`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else map `about.labels.key/value`
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`
Version	`metadata.product_version`

ユーザーを追加

次の表に、オペレーション Add user とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `Is HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
Target	`target.user.userid or target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`

ユーザーのライセンスを変更します。

次の表に、オペレーション「ユーザーのライセンスを変更します。」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーパスワードの変更

次の表に、オペレーション「ユーザーパスワードの変更」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.group.group_display_name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループを削除

次の表に、オペレーション「グループを削除」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product.object_id target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループからメンバーを削除する

次の表に、オペレーション「グループからメンバーを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION if status is Success then action ALLOW security_result.summary User deleted successfully
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーを削除

次の表に、オペレーション Delete user とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED` `ResultStatus` is `Success` `Action` is set to `ALLOW` `security_result.summary` is `User updated successfully` `ResultStatus` is `Failure` `Action` is set to `BLOCK` `security_result.summary` is `User update failed`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`
Version	`metadata.product_version`

ユーザーの更新

次の表に、オペレーション Update user とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type is mapped to GROUP_MODIFICATION` if `ObjectId` not contain (empty) or `Not Available` then `ObjectId` is set to `target.group.product_object_id`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
`ModifiedProperties`	`security_result.detection_fields.key/value` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value` If `Name` is `TargetId.UserType` then `NewValue` and `Oldvalue` are mapped to `target.labels` If `Name` is `StrongAuthenticationPhoneAppDetail` then from `NewValue`, `DeviceName` is mapped to `target.asset.hostname`, `PhoneAppVersion` is mapped to `target.asset.software.version`, `DeviceId` is mapped to `target.asset.asset_id`, `Id` is mapped to `target.asset.product_object_id`, `DeviceToken` is mapped to `target.asset.attribute.labels.key/value`, `DeviceTag` is mapped to `target.asset.attribute.labels.key/value`, `OathTokenTimeDrift` is mapped to `security_result.detection_fields.key/value`, `TimeInterval` is mapped to `security_result.detection_fields.key/value`, `AuthenticationType` is mapped to `security_result.detection_fields.key/value`, `NotificationType` is mapped to `target.asset.attribute.labels.key/value`, `LastAuthenticatedTimestamp` is mapped to `security_result.detection_fields.key/value`, `AuthenticatorFlavor` is mapped to `security_result.detection_fields.key/value`, `HashFunction` is mapped to `security_result.detection_fields.key/value`, `TenantDeviceId` is mapped to `target.labels.key/value`, `SecuredPartitionId` is mapped to `security_result.detection_fields.key/value`, `SecuredKeyId` is mapped to `security_result.detection_fields.key/value`. If `Name` is `StrongAuthenticationPhoneAppDetail` then from `OldValue`, `DeviceName` is mapped to `about.asset.hostname`, `PhoneAppVersion` is mapped to `about.asset.software.version`, `DeviceId` is mapped to `about.asset.asset_id`, `Id` is mapped to `about.asset.product_object_id`, `DeviceToken` is mapped to `about.asset.attribute.labels.key/value`, `DeviceTag` is mapped to `about.asset.attribute.labels.key/value`, `OathTokenTimeDrift` is mapped to `security_result.detection_fields.key/value`, `TimeInterval` is mapped to `security_result.detection_fields.key/value`, `AuthenticationType` is mapped to `security_result.detection_fields.key/value`, `NotificationType` is mapped to `about.asset.attribute.labels.key/value`, `LastAuthenticatedTimestamp` is mapped to `security_result.detection_fields.key/value`, `AuthenticatorFlavor` is mapped to `security_result.detection_fields.key/value`, `HashFunction` is mapped to `security_result.detection_fields.key/value`, `TenantDeviceId` is mapped to `about.labels.key/value`, `SecuredPartitionId` is mapped to `security_result.detection_fields.key`, `SecuredKeyId` is mapped to `security_result.detection_fields.key`.
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
ActorIpAddress	`principal.ip` and `principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.group.group_display_name` `target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 1 then `ID` is mapped to `target.group.group_display_name` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`
Version	`metadata.product_version`

グループの更新

次の表に、オペレーション「グループを更新」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload}
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description

UserLoggedIn

次の表に、オペレーション「UserLoggedIn」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN security_result.Action is set to BLOCK security_result.summary is User login failed
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version
DeviceProperties	network.session_id principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname
ErrorCode	security_result.description security_result.description is set to ErrorCode - {ErrorCode}
LogonError	security_result.description If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

次の表に、オペレーション「UserLoginFailed」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

Update StsRefreshTokenValidFrom Timestamp

次の表に、オペレーション「Update StsRefreshTokenValidFrom Timestamp」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイス

次の表に、オペレーション「デバイスの更新」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ドメインで連携を設定する

次の表に、オペレーション「ドメインで連携を設定する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

ドメインの所有権を証明

次の表に、オペレーション「ドメインの確認」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

会社情報を設定する

次の表に、オペレーション「会社情報を設定する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーパスワードを再設定

次の表に、オペレーション「ユーザーパスワードを再設定」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.description security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

アカウントを無効にする

次の表に、オペレーション「アカウントを無効にする」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーのアプリケーションパスワードを削除する

次の表に、オペレーション「ユーザーのアプリケーションパスワードを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイスを削除

次の表に、オペレーション「デバイスを削除」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

登録ユーザーをデバイスに追加する

次の表に、オペレーション「登録ユーザーをデバイスに追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイスに登録済みの所有者を追加する

次の表に、オペレーション「デバイスに登録済みの所有者を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

グループにオーナーを追加する

次の表に、オペレーション「グループにオーナーを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

OAuth2PermissionGrant を追加する

次の表に、オペレーション「OAuth2PermissionGrant を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

デバイスを追加

次の表に、オペレーション「デバイスを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.resource.product_object_id network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

ユーザーへのアプリロールの割り当ての付与を追加する

次の表に、オペレーション「ユーザーへのアプリロールの割り当ての付与を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSION Workload is mapped to intermediary.application
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	target.application network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.user.userid or target.user.email_addresses If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

アプリケーションに対して同意する

次の表に、オペレーション「アプリケーションに対して同意する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.resource.name target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

サービスプリンシパルを更新する

次の表に、オペレーション「サービスプリンシパルを更新する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

サービスプリンシパルを追加する

次の表に、オペレーション「サービスプリンシパルを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
Version	metadata.product_version

サービスプリンシパルを削除する

次の表に、オペレーション「サービスプリンシパルを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

メンバーをロールに追加する

次の表に、オペレーション Add member to role とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED` `ResultStatus` is `Success` then `Action` is set to `ALLOW` `security_result.summary` is set to `Added a user to an admin role successfully` `ResultStatus` is `Failure` then `Action is set to BLOCK` `security_result.summary is set to Added a user to an admin role failed` `ObjectId is mapped to target.url`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`target.resource.product_object_id` `target.resource.attribute.roles.name` `target.resource.attribute.labels.key/value` if `Name` is `Role.ObjectId` then `NewValue` is `target.resource.product_object_id` If `Name` is `Role.DisplayName` then `NewValue` is `target.user.attribute.roles.name` if `Name` is `Role.TemplateId` then `NewValue` and `OldValue` is `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
ActorIpAddress	`principal.ip` and `principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemsId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`
Version	`metadata.product_version`

ロールからメンバーを削除する

次の表に、オペレーション「ロールからメンバーを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value
	event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	target.labels.key/value
Version	metadata.product_version

ラベルを追加

次の表に、オペレーション「ラベルを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is set to target.resource.product_object_id
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemsId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses
TargetContextId	target.labels.key/value
Version	metadata.product_version

会社を作成する

次の表に、オペレーション「会社を作成する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION ObjectId is set to target.resource.product_object_id
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.labels.key/value
TeamName	target.group.group_display_name
Version	metadata.product_version

TeamsSessionStarted

次の表に、オペレーション「TeamsSessionStarted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ScheduleGroupAdded

次の表に、オペレーション「ScheduleGroupAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ScheduleGroupEdited

次の表に、オペレーション「ScheduleGroupEdited」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_DELETION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ScheduleGroupDeleted

次の表に、オペレーション「ScheduleGroupDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

ShiftAdded

次の表に、オペレーション「ShiftAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

ShiftEdited

次の表に、オペレーション「ShiftEdited」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

ShiftDeleted

次の表に、オペレーション「ShiftDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

TimeOffAdded

次の表に、オペレーション「TimeOffAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

TimeOffEdited

次の表に、オペレーション「TimeOffEdited」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
Shift	target.resource.attribute.labels.value

TimeOffDeleted

次の表に、オペレーション「TimeOffDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
OpenShift	target.resource.attribute.labels.key/value

OpenShiftAdded

次の表に、オペレーション「OpenShiftAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
OpenShift	target.resource.attribute.labels.key/value

OpenShiftEdited

次の表に、オペレーション「OpenShiftEdited」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
OpenShift	target.resource.attribute.labels.key/value

OpenShiftDeleted

次の表に、オペレーション「OpenShiftDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ScheduleShared

次の表に、オペレーション「ScheduleShared」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ClockedIn

次の表に、オペレーション「ClockedIn」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

BreakStarted

次の表に、オペレーション「BreakStarted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

BreakEnded

次の表に、オペレーション「BreakEnded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
ShiftRequest	target.resource.attribute.labels.key/value

RequestAdded

次の表に、オペレーション「RequestAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
ShiftRequest	target.resource.attribute.label.key/value

RequestRespondedTo

次の表に、オペレーション「RequestResponseedTo」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id
ShiftRequest	target.resource.attribute.label.key/value

RequestCancelled

次の表に、オペレーション「RequestCancelled」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AADGroupId	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
ScheduleId	target.resource.product_object_id

ScheduleSettingChanged

次の表に、オペレーション「ScheduleSettingChanged」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version

TeamSettingChanged

次の表に、オペレーション「TeamSettingChanged」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version

AppInstalled

次の表に、オペレーション「AppInstalled」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	target.resource.product_object_id
AddOnType	target.labels.key/value
AddOnName	target.resource.name
Version	metadata.product_version
AppDistributionMode	about.labels.key/value
AzureADAppId	about.labels.key/value
OperationScope	about.labels.key/value
TargetUserId	target.user.product_object_id

MemberRemoved

次の表に、オペレーション「MemberRemoved」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version
AADGroupId	target.labels.key/value
CommunicationType	about.labels.key/value
ChatName	target.group.group_display_name
ChatThreadId	target.user.group_identifiers target.group.product_object_id

TabRemoved

次の表に、オペレーション「TabRemoved」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
Version	metadata.product_version
AADGroupId	target.labels.key/value
AddOnGuid	target.resource.product_object_id
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
AddOnName	target.resource.name
ChannelName	target.resource.attribute.labels.key/value
TeamName	target.group.group_display_name

AppUninstalled

次の表に、オペレーション「AppUninstalled」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	target.resource.product_object_id
AddOnType	target.labels.key/value
AddOnName	target.resource.name
Version	metadata.product_version
AppDistributionMode	about.labels.key/value
AzureADAppId	about.labels.key/value
OperationScope	about.labels.key/value
TargetUserId	target.user.product_object_id

MemberAdded

次の表に、オペレーション「MemberAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version
CommunicationType	about.labels.key/value
ChatName	target.group.group_display_name
ChatThreadId	target.user.group_identifiers target.group.product_object_id

TabAdded

次の表に、オペレーション「TabAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	metadata.product_version
AADGroupId	target.labels.key/value
AddOnGuid	target.resource.product_object_id
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
AddOnName	target.resource.name
AddOnUrl	target.url
ChannelName	target.labels.key/value
TeamName	target.group.group_display_name

ClockedOut

次の表に、オペレーション「ClockedOut」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version
AADGroupId	target.labels.key/value
ScheduleId	target.resource.product_object_id

TeamCreated

次の表に、オペレーション「TeamCreated」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.resource.product_object_id
TeamName	target.resource.name
Version	metadata.product_version

BotAddedToTeam

次の表に、オペレーション「BotAddedToTeam」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid	target.resource.product_object_id
AddOnName	target.resource.name
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ChannelAdded

次の表に、オペレーション「ChannelAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.resource.product_object_id
ChannelName	target.resource.name
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ConnectorAdded

次の表に、オペレーション「ConnectorAdded」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ChannelSettingChanged

次の表に、オペレーション「ChannelSettingChanged」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.resource.product_object_id
ChannelName	target.resource.name
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

TeamsTenantSettingChanged

次の表に、オペレーション「TeamsTenantSettingChanged」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

MemberRoleChanged

次の表に、オペレーション「MemberRoleChanged」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name DisplayName is mapped to about.user.user_display_name Role is mapped to about.user.attribute.roles.name UPN is mapped to about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

DeletedAllOrganizationApps

次の表に、オペレーション「DeletedAllOrganizationApps」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ChannelDeleted

次の表に、オペレーション「ChannelDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.resource.product_object_id
ChannelName	target.resource.name
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

TeamDeleted

次の表に、オペレーション「TeamDeleted」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.resource.product_object_id
TeamName	target.resource.name

BotRemovedFromTeam

次の表に、オペレーション「BotRemovedFromTeam」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ConnectorRemoved

次の表に、オペレーション「ConnectorRemoved」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

ConnectorUpdated

次の表に、オペレーション「ConnectorUpdated」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.email_addresses
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name

TabUpdated

次の表に、オペレーション「TabUpdated」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid	target.labels.key/value
AddOnName	target.resource.name
AddOnType	target.labels.key/value
ChannelGuid	target.labels.key/value
ChannelName	target.resource.attribute.labels.key/value
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
Members	about.user.userid or about.user.email_addresses about.user.user_display_name about.user.attribute.roles.name
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
Name	target.resource.attribute.labels.key
NewValue	target.resource.attribute.labels.value
SubscriptionId	target.resource.attribute.labels.key/value
TabType	target.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
AADGroupId	target.labels.key/value
AddOnUrl	target.url

更新

次の表に、オペレーション「Update」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism LogonType is 2 then mechanism is set to INTERACTIVE LogonType is 3 or 8 then mechanism is set to NETWORK LogonType is 4 then mechanism is set to BATCH LogonType is 5 then mechanism is set to SERVICE LogonType is 7 then mechanism is set to UNLOCK LogonType is 9 then mechanism is set to NEW_CREDENTIALS LogonType is 9 then mechanism is set to REMOTE_INTERACTIVE LogonType is 9 then mechanism is set to CACHED_INTERACTIVE else mechanism is set to MECHANISM_UNSPECIFIED
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Item	network.email.subject target.resource.product_object_id target.resource.name target.file.size network.email.mail_id target.file.full_path Id is mapped to target.resource.product_object_id Subject is mapped to network.email.subject SizeInBytes is mapped to target.file.size Item.ParentFolder.Path is mapped to target.resource.name InternetMessageId is mapped to network.email.mail_id Attachments is mapped to target.file.full_path
ModifiedProperties	securiy_result.summary
SessionId	network.session_id
ClientRequestId	principal.labels.key/value
Version	metadata.product_version

FolderBind

次の表に、オペレーション「FolderBind」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AppId	target.labels.key/value
ClientRequestId	principal.labels.key/value
Item	target.resource.product_object_id target_resource_name network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name
SessionId	network.session_id
Version	metadata.product_version

SendOnBehalf

次の表に、オペレーション「SendOnBehalf」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AppId	target.labels.key/value
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.email_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id
SessionId	network.session_id
SendOnBehalfOfUserSmtp	target.user.userid or target.user.email_addresses
Version	metadata.product_version

SendAs

次の表に、オペレーション「SendAs」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
SendAsUserMailboxGuid	about.labels.key/value
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id
SessionId	network.session_id
SendAsUserSmtp	target.user.userid or target.user.email_addresses
Version	metadata.product_version

送信

次の表に、オペレーション「Send」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
Item	network.email.subject network.email.mail_id target.file.full_path target.resource.product_object_id
SessionId	network.session_id
Version	metadata.product_version

New-InboxRule

次の表に、オペレーション「New-InboxRule」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
SessionId	network.session_id
Version	metadata.product_version
Parameters	security_result.rule_labels.key/value
AppId	target.labels.key/value

Set-InboxRule

次の表に、オペレーション「Set-InboxRule」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION ObjectId is set to target.group.product_object_id target.resource.resource_type is set to SETTING
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	security_result.rule_labels.key/value
SessionId	network.session_id
ClientRequestId	principal.labels.key/value
Version	metadata.product_version

MoveToDeletedItems

次の表に、オペレーション「MoveToDeletedItems」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
DestFolder	target.resource.product_object_id target.resource.name
SessionId	network.session_id
Version	metadata.product_version
AffectedItems	about.file.full_path network.email.subject network.email.mail_id Subject is mapped to network.email.subject ParentFolder.Path is mapped to about.file.full_path AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id
Folder	src.resource.product_object_id src.resource.name
ClientRequestId	principal.labels.key/value
AppId	target.labels.key/value

移動

次の表に、オペレーション「Move」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
DestFolder	target.resource.product_object_id target.resource.name
SessionId	network.session_id
Version	metadata.product_version
AffectedItems	about.file.full_path network.email.subject network.email.mail_id
Folder	src.resource.product_object_id src.resource.name

MailItemsAccessed

次の表に、オペレーション「MailItemsAccessed」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
OperationProperties	security_result.detection_fields.key/value.
SessionId	network.session_id
Version	metadata.product_version
OperationCount	about.labels.key/value
AppId	target.labels.key/value
Folders	about.resource.name about.resource.product_object_id network.email.mail_id Folders.Path is mapped to about.resource.name Folders.Id is mapped to about.resource.product_object_id Folders.0.FolderItems.0.InternetMessageId network_email_id

MailboxLogin

次の表に、オペレーション「MailboxLogin」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_LOGIN auth.Type is MACHINE
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
SessionId	network.session_id
Version	metadata.product_version

SoftDelete

次の表に、オペレーション「SoftDelete」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AffectedItems	about.file.full_path network.email.subject network.email.mail_id AffectedItems.Attachments is mapped to about.file.full_path AffectedItems.Subject is mapped to network.email.subject AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id
Folder	target.resource.name target.resource.product_object_id Folder.Path is mapped to target.resource.name Folder.Id is mapped to target.resource.product_object_id
SessionId	network.session_id
ClientRequestId	principal.labels.key/value
Version	metadata.product_version

HardDelete

次の表に、オペレーション「HardDelete」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
AffectedItems	about.file.full_path network.email.subject network.email.mail_id
Version	metadata.product_version
ClientAppId	target.labels.key/value
AppId	target.labels.key/value
Folder	target.resource.name target.resource.product_object_id

作成

次の表に、オペレーション「Create」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
Item	target.resource.name target.resource.product_object_id target.file.full_path network.email.subject network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name Item.Subject is mapped to network.email.subject Attachment may present or not in log so write grok for this. Item.Attachments is mapped to target.file.full_path
SessionId	network.session_id
Version	metadata.product_version

RemoveFolderPermissions

次の表に、オペレーション「RemoveFolderPermissions」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
Item	target.file.full_path target.resource.attribute.permissions.name target.user.email_addresses or target.user.userid Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid Item.ParentFolder.Path is mapped to target.file.full_path User rights is mapped to target.resource.attribute.permissions.name
SessionId	network.session_id
Version	metadata.product_version

ModifyFolderPermissions

次の表に、オペレーション「ModifyFolderPermissions」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
Item	target.file.full_path target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name
SessionId	network.session_id
Version	metadata.product_version

AddFolderPermissions

次の表に、オペレーション「AddFolderPermissions」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
Item	target.file.full_path target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name Path is mapped to target.file.full_path Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid User Rights is mapped to target.resource.attribute.permissions.name
SessionId	network.session_id
Version	metadata.product_version
AppId	target.labels.key/value

Remove-MailboxPermission

次の表に、オペレーション「Remove-MailboxPermission」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	security_result.detection_fields.key/value
SessionId	network.session_id
Version	metadata.product_version

Add-MailboxPermission

次の表に、オペレーション「Add-MailboxPermission」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
ClientAppId	target.labels.key/value
SessionId	network.session_id
Version	metadata.product_version
AppId	target.resource.attribute.labels.key/value
Parameters	security_result.detection_fields.key/value
ObjectId	target.resource.attribute.labels.key/value

UpdateInboxRules

次の表に、オペレーション「UpdateInboxRules」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
ClientAppId	target.labels.key/value
SessionId	network.session_id
Version	metadata.product_version
Item	target.resource.product_object_id target.resource.name Item.ParentFolder.name is mapped to target.resource.name Item.ParentFolder.id is mapped to target.resource.product_object_id
OperationProperties	security_result.rule_id security_result.rule_name security_result.detection_fields.key/value if Name is RuleId then Value is mapped to security_result.rule_id if Name is RuleName then Value is mapped to security_result.rule_name else security_result.detection_fields.key/value
ClientRequestId	principal.labels.key/value

UpdateCalendarDelegation

次の表に、オペレーション「UpdateCalendarDelegation」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is SERVICE_ACCOUNT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version

ApplyRecordLabel

次の表に、オペレーション「ApplyRecordLabel」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version

UpdateFolderPermissions

次の表に、オペレーション「UpdateFolderPermissions」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to STORAGE_OBJECT
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version

Set-User

次の表に、オペレーション「Set-User」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION ObjectId is set to target.user.userid or target.user.email_addresses
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
Version	metadata.product_version

ViewReport

次の表に、オペレーション「ViewReport」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is mapped to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
ActivityId	principal.labels.key/value
ConsumptionMethod	target.labels.key/value
DatasetId	target.resource.attribute.label.key/value
DistributionMethod	about.labels.key/value
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
UserAgent	network.http.user_agent
WorkspaceId	target.resource.attribute.labels.key/value

GenerateEmbedToken

次の表に、オペレーション「GenerateEmbedToken」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS ObjectId is set to target.file.full_path
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
ActivityId	principal.labels.key/value
ConsumptionMethod	target.labels.key/value
DatasetId	target.resource.attribute.label.key/value
DistributionMethod	about.labels.key/value
ReportId	target.resource.attribute.labels.key/value
ReportType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
UserAgent	network.http.user_agent
WorkspaceId	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
EmbedTokenId	target.resource.product_object_id
RLSIdentities	about.user.email_addresses about.user.attribute.roles.name RLSIdentities.UserName is mapped to about.user.email_addresses RLSIdentities.Roles is mapped to about.user.attribute.roles.name

CreateDataset

次の表に、オペレーション「CreateDataset」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_object_id
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
LastRefreshTime	about.labels.key/value

GenerateCustomVisualAADAccessToken

次の表に、オペレーション「GenerateCustomVisualAADAccessToken」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
CustomVisualAccessTokenResourceId	target.resource.product_object_id
CustomVisualAccessTokenSiteUri	target.url

DeleteOrganizationalGalleryItem

次の表に、オペレーション「DeleteOrganizationalGalleryItem」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
OrganizationalGalleryItemId	target.resource.product_object_id
OrganizationalGalleryItemDisplayName	target.resource.name
OrganizationalGalleryItemPublishTime	target.resource.attribute.labels.key/value

DeleteAlmPipeline

次の表に、オペレーション「DeleteAlmPipeline」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DeploymentPipelineId	target.labels.key/value
DeploymentPipelineObjectId	target.resource.product_object_id

AddDatasourceToGateway

次の表に、オペレーション「AddDatasourceToGateway」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
GatewayId	target.resource.attribute.labels.key/value
GatewayType	target.labels.key/value
DatasourceId	target.resource.product_object_id
DatasourceType	target.resource.attribute.labels.key/value

AssignWorkspaceToPipeline

次の表に、オペレーション「AssignWorkspaceToPipeline」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	principal.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	principal.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DeploymentPipelineId	target.labels.key/value
DeploymentPipelineObjectId	target.resource.product_object_id
DeploymentPipelineStageOrder	target.labels.key/value

CancelDataflowRefresh

次の表に、オペレーション「CancelDataflowRefresh」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DataflowId	target.resource.product_object_id
DataflowName	target.resource.name
DataflowType	target.resource.attribute.labels.key/value

ChangeCapacityState

次の表に、オペレーション「ChangeCapacityState」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CapacityName	target.resource.name
CapacityUsers	about.labels.key/value
CapacityState	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

ChangeGatewayAdministrators

次の表に、オペレーション「ChangeGatewayAdministrators」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
GatewayId	target.resource.product_object_id
UserInformation	about.user.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

InsertOrganizationalGalleryItem

次の表に、オペレーション「InsertOrganizationalGalleryItem」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
OrganizationalGalleryItemId	target.resource.product_object_id
OrganizationalGalleryItemDisplayName	target.resource.name
OrganizationalGalleryItemPublishTime	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

CreateAlmPipeline

次の表に、オペレーション「CreateAlmPipeline」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
DeploymentPipelineId	target.labels.key/value
DeploymentPipelineObjectId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

CreateApp

次の表に、オペレーション「CreateApp」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.name
WorkspaceId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

CreateDashboard

次の表に、オペレーション「CreateDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION If IsSuccess is true then security_result.summary is Dashboard created successfully else security_result.summary is Dashboard not created
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DashboardId	target.resource.product_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

CreateDataflow

次の表に、オペレーション「CreateDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_CREATION If IsSuccess is true then security_result.summary is Dataflow created successfully else security_result.summary is Dataflow not created
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DataflowType	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_id
WorkspaceId	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value

CreateEmailSubscription

次の表に、オペレーション「CreateEmailSubscription」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION If IsSuccess is true then security_result.summary is EmailSubscription created successfully else security_result.summary is EmailSubscription not created ObjectId is set to target.file.full_path
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
SubscriptionSchedule	target.labels.key/value
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
SubscribeeInformation	network.email.to
DashboardId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value

CreateFolder

次の表に、オペレーション「CreateFolder」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
FolderDisplayName	target.resource.name
FolderObjectId	target.resource.attribute.labels.key/value

CreateGateway

次の表に、オペレーション「CreateGateway」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
GatewayId	target.resource.product_object_id
GatewayType	target.labels.key/value

CreateTemplateApp

次の表に、オペレーション「CreateTemplateApp」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value
TemplateAppObjectId	target.resource.product_object_id
RequestId	about.labels.key/value

DeleteComment

次の表に、オペレーション「DeleteComment」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
AuditedArtifactInformation	target.resource.name target.resource.product_object_id target.resource.attribute.labels.key/value Name is mapped to target.resource.name ArtifactObjectId is set to target.resource.product_object_id AnnotatedItemType is mapped to target.resource.attribute.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent

DeleteDashboard

次の表に、オペレーション「DeleteDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DashboardId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
DashboardName	target.resource.name
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
DistributionMethod	about.labels.key/value

DeleteDataflow

次の表に、オペレーション「DeleteDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_object_id
DataflowName	target.resource.name
DataflowType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value

DeleteDataset

次の表に、オペレーション「DeleteDataset」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_object_id
DataConnectivityMode	target.resource.attribute.labels.key/value
LastRefreshTime	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value

DeleteEmailSubscription

次の表に、オペレーション「DeleteEmailSubscription」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_DELETION ObjectId is set to target.file.full_path
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DashboardId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value

DeleteFolder

次の表に、オペレーション「DeleteFolder」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION if isSuccess is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
FolderObjectId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

DeleteGateway

次の表に、オペレーション「DeleteGateway」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
GatewayId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

DeleteGroup

次の表に、オペレーション「DeleteGroup」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.name
WorkspaceId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

DeleteReport

次の表に、オペレーション「DeleteReport」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DatasetId	target.resource.attribute.label.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value

DownloadReport

次の表に、オペレーション「DownloadReport」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DatasetId	target.resource.attribute.label.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value

EditDataset

次の表に、オペレーション「EditDataset」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_object_id
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
LastRefreshTime	about.labels.key/value

EditDatasetProperties

次の表に、オペレーション「EditDatasetProperties」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DatasetId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetCertificationStage	target.resource.attribute.labels.key/value
LastRefreshTime	about.labels.key/value

EditReport

次の表に、オペレーション「EditReport」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DatasetId	target.resource.attribute.label.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
ReportId	target.resource.attribute.labels.key/value
ReportType	target.resource.attribute.labels.key/value

ExportDataflow

次の表に、オペレーション「ExportDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED if isSuccess is TRUE then security_result.summary is Dataflow Exported Successfully else security_result.summary is Dataflow Not Exported
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_id
DataflowName	target.rsource.name
DataflowType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

ExportReport

次の表に、オペレーション「ExportReport」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED if isSuccess is TRUE then security_result.summary is Report Exported Successfully else security_result.summary is Report Not Exported
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
DatasetId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value
DataConnectivityMode	target.resource.attribute.labels.key/value
LastRefreshTime	about.labels.key/value

InstallApp

次の表に、オペレーション「InstallApp」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

InstallTemplateApp

次の表に、オペレーション「InstallTemplateApp」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
TemplateAppFolderObjectId	about.labels.key/value
TemplateAppOwnerTenantObjectId	principal.user.product_object_id
TemplateAppVersion	metadata.product_version
TemplateAppObjectId	target.resource.product_object_id
TemplatePackageName	target.resource.name

PostComment

次の表に、オペレーション「PostComment」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
AuditedArtifactInformation	target.resource.name target.resource.product_object_id target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

PrintDashboard

次の表に、オペレーション「PrintDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DashboardId	target.resource.product_object_id
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

PrintReport

次の表に、オペレーション「PrintReport」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.attribute.label.key/value
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

UnassignWorkspaceFromPipeline

次の表に、オペレーション「UnassignWorkspaceFromPipeline」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
DeploymentPipelineId	target.resource.attribute.labels.key/value
DeploymentPipelineObjectId	target.resource.product_object_id

RemoveDatasourceFromGateway

次の表に、オペレーション「RemoveDatasourceFromGateway」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
GatewayId	target.resource.attribute.label.key/value
DatasourceId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

RenameDashboard

次の表に、オペレーション「RenameDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is set to target.file.full_path
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DashboardId	target.resource.product_object_id
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

RequestDataflowRefresh

次の表に、オペレーション「RequestDataflowRefresh」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_object_id
DataflowName	target.resource.name
DataflowRefreshScheduleType	target.labels.key/value
DataflowType	target.resource.attribute.label.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

RefreshDataset

次の表に、オペレーション「RefreshDataset」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_object_id
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
RefreshType	target.labels.key/value
LastRefreshTime	about.labels.key/value

SensitivityLabelApplied

次の表に、オペレーション「SensitivityLabelApplied」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.attribute.labels.key/value
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
SensitivityLabelId	target.resource.product_object_id
ActionSourceDetail	principal.labels.key/value
LabelEventType	target.labels.key/value
LastRefreshTime	about.labels.key/value
ActionSourceDetail	principal.labels.key/value
ArtifactType	about.labels.key/value

SensitivityLabelRemoved

次の表に、オペレーション「SensitivityLabelRemoved」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.attribute.labels.key/value
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
OldSensitivityLabelId	target.resource.product_object_id
ActionSource	principal.labels.key is set to ActionSource principal.labels.value is set to {Value}
LabelEventType	target.labels.key/value
LastRefreshTime	about.labels.key/value
ActionSourceDetail	principal.labels.key/value
ArtifactType	about.labels.key/value

SetScheduledRefreshOnDataflow

次の表に、オペレーション「SetScheduledRefreshOnDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_id
DataflowName	target.resource.name
DataflowType	target.resource.attribute.label.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

SetScheduledRefresh

次の表に、オペレーション「SetScheduledRefresh」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.rsource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_id
DataConnectivityMode	target.resource.attribute.labels.key/value
Schedules	target.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
LastRefreshTime	about.labels.key/value

ShareDashboard

次の表に、オペレーション「ShareDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
DashboardId	target.resource.product_object_id
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
SharingAction	about.labels.key/value
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value

ShareReport

次の表に、オペレーション「ShareReport」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
Datasets	about.resource.product_object_id about.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
ArtifactId	target.resource.product_object_id
ArtifactName	target.resource.name
SharingAction	about.labels.key/value
ShareLinkId	about.labels.key/value

OptInForProTrial

次の表に、オペレーション「OptInForProTrial」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UnpublishApp

次の表に、オペレーション「UnpublishApp」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkspaceId	target.resource.product_object_id
WorkSpaceName	target.resource.name
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateOrganizationalGalleryItem

次の表に、オペレーション「UpdateOrganizationalGalleryItem」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
OrganizationalGalleryItemId	target.resource.product_object_id
OrganizationalGalleryItemDisplayName	target.resource.name
OrganizationalGalleryItemPublishTime	target.resource.attribute.labels.key/value

UpdateAlmPipelineAccess

次の表に、オペレーション「UpdateAlmPipelineAccess」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DeploymentPipelineObjectId	target.resource.product_object_id
DeploymentPipelineDisplayName	target.resource.name
DeploymentPipelineAccesses	about.user.userid about.user.attribute.permissions.name userid is mapped to about.user.userid Rolepermission is mapped to about.user.attribute.permissions.name

UpdateInstalledTemplateAppParameters

次の表に、オペレーション「UpdateInstalledTemplateAppParameters」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
TemplateAppObjectId	target.resource.product_object_id
TemplatePackageName	target.resource.name
TemplateAppVersion	metadata.product_version
TemplateAppFolderObjectId	about.labels.key/value

UpdatedAdminFeatureSwitch

次の表に、オペレーション「UpdatedAdminFeatureSwitch」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is mapped to SETTING
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
SwitchState	about.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateApp

次の表に、オペレーション「UpdateApp」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.name
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
WorkspaceId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateDataflow

次の表に、オペレーション「UpdateDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_object_id
DataflowName	target.resource.name
DataflowType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateDatasetParameters

次の表に、オペレーション「UpdateDatasetParameters」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.product_object_id
DataConnectivityMode	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
LastRefreshTime	about.labels.key/value

UpdateEmailSubscription

次の表に、オペレーション「UpdateEmailSubscription」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION target.resource.type is mapped to TASK
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
SubscriptionSchedule	target.labels.key/value
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
SubscribeeInformation	network.email.to
DashboardId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value

UpdateFolder

次の表に、オペレーション「UpdateFolder」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
FolderObjectId	target.resource.product_object_id
FolderDisplayName	target.resource.name
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateFolderAccess

次の表に、オペレーション「UpdateFolderAccess」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
FolderObjectId	target.resource.product_object_id
FolderDisplayName	target.resource.name
FolderAccessRequests	about.user.userid about.user.product_object_id about.user.attribute.permissions.type UserId is mapped to about.user.userid UserObjectId is set to about.user.product_object_id RolePermissions is mapped to about.user.attribute.permissions.type
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateDatasourceCredentials

次の表に、オペレーション「UpdateDatasourceCredentials」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
GatewayId	target.resource.attribute.labels.key/value
DatasourceId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

UpdateTemplateAppSettings

次の表に、オペレーション「UpdateTemplateAppSettings」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppName	target.labels.key/value
ActivityId	principal.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
TemplateAppObjectId	target.resource.product_object_id

UpdateTemplateAppTestPackagePermissions

次の表に、オペレーション「UpdateTemplateAppTestPackagePermissions」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
TemplateAppObjectId	target.resource.product_object_id

ViewDashboard

次の表に、オペレーション「ViewDashboard」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
ConsumptionMethod	target.labels.key/value
DistributionMethod	about.labels.key/value
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
Datasets	about.resource.product_object_id about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name
DashboardId	target.resource.product_object_id
WorkspaceId	target.resource.attribute.labels.key/value
DashboardName	target.resource.name
WorkSpaceName	target.resource.attribute.labels.key/value

ViewDataflow

次の表に、オペレーション「ViewDataflow」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.labels.key/value
CapacityId	about.labels.key/value
CapacityName	about.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
DataflowId	target.resource.product_object_id
DataflowName	target.resource.name
DataflowType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
SensitivityLabelId	security_result.detection_fields.key/value

AddTile

次の表に、オペレーション「AddTile」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.name
WorkspaceId	target.resource.product_object_id
TileText	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

RunEmailSubscription

次の表に、オペレーション「RunEmailSubscription」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCHEDULED_TASK_CREATION target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AppName	target.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.label.key/value
DashboardName	target.resource.name
WorkspaceId	target.resource.attribute.label.key/value
DashboardId	target.resource.product_object_id
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

CreateReport

次の表に、オペレーション「CreateReport」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
UserAgent	network.http.user_agent
WorkSpaceName	target.resource.attribute.label.key/value
DatasetName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
WorkspaceId	target.resource.attribute.label.key/value
DatasetId	target.resource.attribute.label.key/value
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
DistributionMethod	about.labels.key/value

GetSnapshots

次の表に、オペレーション「GetSnapshots」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

OptInForPPUTrial

次の表に、オペレーション「OptInForPPUTrial」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value

Set-MailUser

次の表に、オペレーション「Set-MailUser」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	metadata.product_version

Set-MailContact

次の表に、オペレーション「Set-MailContact」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	metadata.product_version

Set-Mailbox

次の表に、オペレーション「Set-Mailbox」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED Object is mapped to target.group.group_display_name
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
SessionId	network.session_id
Version	metadata.product_version

Set-DistributionGroup

次の表に、オペレーション「Set-DistributionGroup」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is Group members definition ResultStatus is True Action is set to ALLOW else Action is set to BLOCK
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.group.product_object_id or target.group.email_addresses security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description else target.group.attribute.labels.key/value
SessionId	network.session_id
Version	metadata.product_version

Set-Contact

次の表に、オペレーション「Set-Contact」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
Version	metadata.product_version

Set-CASMailbox

次の表に、オペレーション「Set-CASMailbox」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to target.group.group_display_name
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
ModifiedObjectResolvedName	about.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
SessionId	network.session_id
Version	metadata.product_version

Set-CalendarProcessing

次の表に、オペレーション「Set-CalendarProcessing」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.user.user_display_name If Name is ResourceDelegates then Value is mapped to target.user.user_display_name
SessionId	network.session_id
Version	metadata.product_version

Set-AdminAuditLogConfig

次の表に、オペレーション「Set-AdminAuditLogConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. ObjectId is mapped to target.url target.resource.resource_type is set to SETTING
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
ModifiedObjectResolvedName	about.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
SessionId	network.session_id
Version	metadata.product_version

Remove-UnifiedGroup

次の表に、オペレーション「Remove-UnifiedGroup」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
Version	metadata.product_version

Remove-MigrationUser

次の表に、オペレーション「Remove-MigrationUser」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION ObjectId is set to target.user.userid or target.user.email_addresses
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.detection_fields.key/value
SessionId	network.session_id
Version	metadata.product_version

Update-eDiscoveryCaseAdmin

次の表に、オペレーション「Update-eDiscoveryCaseAdmin」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-DistributionGroupMember

次の表に、オペレーション「Remove-DistributionGroupMember」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name else target.group.attribute.labels.key/value
Version	metadata.product_version

ViewedSearchExported

次の表に、オペレーション「ViewedSearchExported」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

AddWorkingSetQueryToWorkingSet

次の表に、オペレーション「AddWorkingSetQueryToWorkingSet」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

AddQueryToWorkingSet

次の表に、オペレーション「AddQueryToWorkingSet」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

RunAlgo

次の表に、オペレーション「RunAlgo」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

AnnotateDocument

次の表に、オペレーション「AnnotateDocument」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

BurnJob

次の表に、オペレーション「BurnJob」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

CreateWorkingSet

次の表に、オペレーション「CreateWorkingSet」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

CreateWorkingsetSearch

次の表に、オペレーション「CreateWorkingsetSearch」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

CreateTag

次の表に、オペレーション「CreateTag」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

DeleteWorkingsetSearch

次の表に、オペレーション「DeleteWorkingsetSearch」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

DeleteTag

次の表に、オペレーション「DeleteTag」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

DownloadDocument

次の表に、オペレーション「DownloadDocument」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

UpdateTag

次の表に、オペレーション「UpdateTag」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

ExportJob

次の表に、オペレーション「ExportJob」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

UpdateCaseSettings

次の表に、オペレーション「UpdateCaseSettings」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

UpdateWorkingsetSearch

次の表に、オペレーション「UpdateWorkingsetSearch」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

TagFiles

次の表に、オペレーション「TagFiles」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

ViewDocument

次の表に、オペレーション「ViewDocument」とワークロード「Compliance」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
StartTime	target.resource.attribute.creation_time
ExtendedProperties	target.resource.attribute.labels.key/value
Version	metadata.product_version

SearchViewed

次の表に、オペレーション「SearchViewed」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id If Name is SearchIds then Value is mapped to target.resource.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

CaseMemberAdded

次の表に、オペレーション「CaseMemberAdded」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member\|User) \{DATA:target_user}\ } }
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

SearchUpdated

次の表に、オペレーション「SearchUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

CaseAdminUpdated

次の表に、オペレーション「CaseAdminUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	about.user.email_address about.user.product_object_id If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

CaseUpdated

次の表に、オペレーション「CaseUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

CaseMemberUpdated

次の表に、オペレーション「CaseMemberUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resrource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

SearchPermissionUpdated

次の表に、オペレーション「SearchPermissionUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExtendedProperties	principal.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

HoldUpdated

次の表に、オペレーション「HoldUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

SearchRemoved

次の表に、オペレーション「SearchRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

CaseAdminRemoved

次の表に、オペレーション「CaseAdminRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line target.user.email_address target.user.userid If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} target_user is mapped to target.user.email_addresses or target.user.userid
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

CaseRemoved

次の表に、オペレーション「CaseRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_detail
Query	security_result.description
SharepointLocations	security_result.category_details

SearchPermissionRemoved

次の表に、オペレーション「SearchPermissionRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	principal.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

HoldRemoved

次の表に、オペレーション「HoldRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

HoldCreated

次の表に、オペレーション「HoldCreated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

SearchCreated

次の表に、オペレーション「SearchCreated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_detail
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_detail
Query	security_result.description
SharepointLocations	security_result.category_detail

CaseAdminAdded

次の表に、オペレーション「CaseAdminAdded」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.prdouct_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

SearchStarted

次の表に、オペレーション「SearchStarted」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

SearchReport

次の表に、オペレーション「SearchReport」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

SearchStopped

次の表に、オペレーション「SearchStopped」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_detail

CaseViewed

次の表に、オペレーション「CaseViewed」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_detail
ExtendedProperties	target.resource.product_object_id about.user.email_addresses about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_detail
Query	security_result.description
SharepointLocations	security_result.category_detail

SearchExportDownloaded

次の表に、オペレーション「SearchExportDownloaded」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	metadata.product_version

CaseMemberRemoved

次の表に、オペレーション「CaseMemberRemoved」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member\|User) \{DATA:target_user}\ } }
Version	metadata.product_version

CaseAdded

次の表に、オペレーション「CaseAdded」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

SearchPermissionCreated

次の表に、オペレーション「SearchPermissionCreated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	principal.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details
Version	metadata.product_version

NetworkConfigurationUpdated

次の表に、オペレーション「NetworkConfigurationUpdated」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

ProcessProfileFields

次の表に、オペレーション「ProcessProfileFields」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

SupervisorAdminToggled

次の表に、オペレーション「SupervisorAdminToggled」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

NetworkSecurityConfigurationUpdated

次の表に、オペレーション「NetworkSecurityConfigurationUpdated」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

FileCreated

次の表に、オペレーション「FileCreated」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE { security_result.action is ALLOW} else {security_result.action is BLOCK}
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

GroupCreation

次の表に、オペレーション「GroupCreation」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

MessageDeleted

次の表に、オペレーション「MessageDeleted」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

GroupDeletion

次の表に、オペレーション「GroupDeletion」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

DataExport

次の表に、オペレーション「DataExport」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

FileVisited

次の表に、オペレーション「FileVisited」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_READ If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

StreamInvokeVideoView

次の表に、オペレーション「StreamInvokeVideoView」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoShare

次の表に、オペレーション「StreamInvokeVideoShare」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoLike

次の表に、オペレーション「StreamInvokeVideoLike」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoUnLike

次の表に、オペレーション「StreamInvokeVideoUnLike」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoUpload

次の表に、オペレーション「StreamInvokeVideoUpload」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoDownload

次の表に、オペレーション「StreamInvokeVideoDownload」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoSetLink

次の表に、オペレーション「StreamInvokeVideoSetLink」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamCreateGroup

次の表に、オペレーション「StreamCreateGroup」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditGroup

次の表に、オペレーション「StreamEditGroup」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamDeleteGroup

次の表に、オペレーション「StreamDeleteGroup」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_DELETION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditGroupMemberships

次の表に、オペレーション「StreamEditGroupMemberships」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamCreateChannel

次の表に、オペレーション「StreamCreateChannel」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditChannel

次の表に、オペレーション「StreamEditChannel」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	network.http.referral_url
ResourceUrl	target.url
Version	metadata.product_version

StreamDeleteChannel

次の表に、オペレーション「StreamDeleteChannel」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	network.http.referral_url
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeChannelSetThumbnail

次の表に、オペレーション「StreamInvokeChannelSetThumbnail」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	network.http.referral_url
ResourceUrl	target.url
Version	metadata.product_version

StreamEditVideoPermissions

次の表に、オペレーション「StreamEditVideoPermissions」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is Succeeded then action is ALLOW else action is BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditVideo

次の表に、オペレーション「StreamEditVideo」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamDeleteVideo

次の表に、オペレーション「StreamDeleteVideo」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditUserSettings

次の表に、オペレーション「StreamEditUserSettings」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamEditAdminTenantSettings

次の表に、オペレーション「StreamEditAdminTenantSettings」とワークロード「MicrosoftStream」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamCreateVideoComment

次の表に、オペレーション「StreamCreateVideoComment」とワークロード「MicrosoftStream」のログフィールドとそれぞれ対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamDeleteVideoComment

次の表に、オペレーション「StreamDeleteVideoComment」とワークロード「MicrosoftStream」のログフィールドとそれぞれ対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoTextTrackUpload

次の表に、オペレーション「StreamInvokeVideoTextTrackUpload」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamDeleteVideoTextTrack

次の表に、オペレーション「StreamDeleteVideoTextTrack」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoThumbnailUpload

次の表に、オペレーション「StreamInvokeVideoThumbnailUpload」とワークロード「MicrosoftStream」のログフィールドとそれぞれ対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is Succeeded then action is ALLOW else action is BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamCreateVideo

次の表に、オペレーション「StreamCreateVideo」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url_back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

DlpRuleMatch

次の表に、オペレーション DlpRuleMatch とワークロード Exchange/SharePoint/OneDrive のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `EMAIL_TRANSACTION` `security_result.category` is set to `DATA_EXFILTRATION` `ObjectId` is set to `network.email.mail_id`
SharePointMetaData	`network.http.referral_url` `network.email.from` `target.file.full_path` `target.url` `target.file.size` `SiteCollectionUrl` is mapped to `network.http.referral_url` `From` is mapped to `network.email.from` (if `ExchangeMetadata` field not getting in log) `FileName` is mapped to `target.file.full_path` `FilePathUrl` is mapped to `target.url` `FileSize` is mapped to `target.file.size`
ExchangeMetaData	`network.email.from` `network.email.to` `network.email.bcc` `network.email.cc` `network.email.subject` `From` is mapped to `network.email.from` `To` is mapped to `network.email.to` `BCC` is mapped to `network.email.bcc` `CC` is mapped to `network.email.cc` `RecipientCount` is mapped to `about.labels.key/value` `Sent` is mapped to `about.labels.key/value`
ExceptionInfo	`about.labels.key/value`
PolicyDetails	`target.resource.product_object_id` `security_result.summary` `security_result.description` `security_result.rule_id` `security_result.rule_name` `security_result.severity` `security_result.confidence_details` `security_result.detection_fields.key/value` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `SensitiveInformationTypeName` is mapped to `security_result.description` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name` `Severity` is mapped to `security_result.severity` `SensitiveInformationDetailedClassificationAttributes.Confidence` is mapped to `security_result.confidence_details` `SensitiveInformationDetailedClassificationAttributes.Count` is mapped to `security_result.detection_fields.key/value`
IncidentId	`about.labels.key/value`
Version	`metadata.product_version`
Site	`target.labels.key/value`
ItemType	`target.resource.attribute.labels.key/value`
EventSource	`principal.application`
SourceName	`principal.labels.key/value`
UserAgent	`network.http.user_agent`
MachineDomainInfo	`target.asset.attribute.labels.key/value`
MachineId	`target.asset.product_object_id`
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

DlpRuleUndo

次の表に、オペレーション「DlpRuleUndo」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id
SharePointMetaData	network.http.referral_url network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size
ExceptionInfo	about.labels.key/value
PolicyDetails	target.resource.product_object_id security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity
IncidentId	about.labels.key/value
Version	metadata.product_version
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

DlpInfo

次の表に、オペレーション「DlpInfo」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id
SharePointMetaData	network.http.referral_url network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size
ExceptionInfo	about.labels.key/value
PolicyDetails	target.resource.product_object_id security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity
IncidentId	about.labels.key/value
Version	metadata.product_version
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.Confidence	`security_result.confidence_details`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.ClassifierType	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.UniqueCount	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId	`security_result.detection_fields.key/value`
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value	`security_result.detection_fields.key/value`

MipLabel

次の表に、オペレーション「MipLabel」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_UNCATEGORIZED ObjectId is set to network.email.mail_id
ApplicationMode	about.labels.key/value
ItemName	network.email.subject
LabelAppliedDateTime	principal.labels.key/value
LabelId	target.resource.product_object_id
LabelName	target.resource.name
Receivers	network.email.to
Sender	network.email.from
Version	metadata.product_version

SiteCollectionCreated

次の表は、オペレーション「SiteCollectionCreated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
CorrelationId	security_result.detection_fields.key/value
EventData	target.resource.name
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application
Version	metadata.product_version

SiteDeleted

次の表は、オペレーション「SiteDeleted」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
SiteUrl	network.http.referral_url
SourceFileExtension	src.file.mime_type
SourceFileName	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName	target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension	target.file.mime_type
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application
MachineId	target.asset.product_object_id

PreviewModeEnabledSet

次の表に、オペレーション「PreviewModeEnabledSet」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is mapped to SETTING
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

OfficeOnDemandSet

次の表に、オペレーション「OfficeOnDemandSet」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

HubSiteJoined

次の表に、オペレーション「HubSiteJoined」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
EventData	target.resource.attribute.labels.key/value target.resource.attribute.labels.key/value PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

HubSiteRegistered

次の表に、オペレーション「HubSiteRegistered」とワークロード「SharePoint」のログフィールドと、それぞれに対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
EventData	target.resource.attribute.labels.key/value target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

HubSiteUnjoined

次の表に、オペレーション「HubSiteUnjoined」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectID is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
EventData	target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

HubSiteUnregistered

次の表に、オペレーション「HubSiteUnregistered」とワークロード「HubSiteUnregistered」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE ObjectID is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
EventData	target.resource.attribute.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

SharingPolicyChanged

次の表は、オペレーション「SharingPolicyChanged」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
CorrelationId	security_result.detection_fields.key/value
Version	metadata.product_version
AssertingApplicationId	about.labels.key/value
ModifiedProperties	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

NetworkAccessPolicyChanged

次の表に、オペレーション「NetworkAccessPolicyChanged」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.ip target.labels.key/value if Name is IPAddressAllowList then NewValue is mapped to target.ip else target.labels.key/value
Site	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

AlertEntityGenerated

次の表に、オペレーション「AlertEntityGenerated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	target.resource.product_object_id
AlertType	target.resource.attribute.labels.key/value
Name	security_result.summary
PolicyId	target.labels.key/value
Status	target.resource.attribute.labels.key/value
Severity	security_result.severity
Category	security_result.category_details
Source	security_result.description
Comments	about.labels.key/value
Data	about.labels.key/value
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	target.resource.attribute.labels.key/value
Version	metadata.product_version

AlertTriggered

次の表に、オペレーション「AlertTriggered」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	target.resource.product_object_id
AlertType	target.resource.attribute.labels.key/value
Name	security_result.summary
PolicyId	target.labels.key/value
Status	target.resource.attribute.labels.key/value
Severity	security_result.severity
Category	security_result.category_details
Source	security_result.description
Comments	about.labels.key/value
Data	about.labels.key/value
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	target.resource.attribute.labels.key/value
Version	metadata.product_version

AlertUpdated

次の表に、オペレーション「AlertUpdated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT security_result.category is set to DATA_EXFILTRATION
AlertId	target.resource.product_object_id
AlertType	target.resource.attribute.labels.key/value
Name	security_result.summary
PolicyId	target.labels.key/value
Status	target.resource.attribute.labels.key/value
Severity	security_result.severity
Category	security_result.category_details
Source	security_result.description
Comments	about.labels.key/value
Data	about.labels.key/value
AlertEntityId	target.user.userid or target.user.email_addresses
EntityType	target.resource.attribute.labels.key/value
Version	metadata.product_version

Get-ComplianceCase

次の表に、オペレーション「Get-ComplianceCase」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-CaseHoldPolicy

次の表に、オペレーション「Get-CaseHoldPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-ComplianceSearch

次の表に、オペレーション「Get-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Remove-CaseHoldPolicy

次の表に、オペレーション「Remove-CaseHoldPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Set-CaseHoldPolicy

次の表に、オペレーション「Set-CaseHoldPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

New-CaseHoldRule

次の表に、オペレーション「New-CaseHoldRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Remove-CaseHoldRule

次の表に、オペレーション「Remove-CaseHoldRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Set-CaseHoldRule

次の表に、オペレーション「Set-CaseHoldRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Get-ComplianceSearchAction

次の表に、オペレーション「Get-ComplianceSearchAction」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

New-ComplianceCase

次の表に、オペレーション「New-ComplianceCase」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line target.resource.name
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Remove-ComplianceCase

次の表に、オペレーション「Remove-ComplianceCase」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Set-ComplianceCase

次の表に、オペレーション「Set-ComplianceCase」とワークロード「Set-ComplianceCase」の、ログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Add-ComplianceCaseMember

次の表に、オペレーション「Add-ComplianceCaseMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-ComplianceCaseMember

次の表に、オペレーション「Remove-ComplianceCaseMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Update-ComplianceCaseMember

次の表に、オペレーション「Update-ComplianceCaseMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

New-ComplianceSearch

次の表に、オペレーション「New-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-ComplianceSearch

次の表に、オペレーション「Remove-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Set-ComplianceSearch

次の表に、オペレーション「Set-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Start-ComplianceSearch

次の表に、オペレーション「Start-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Stop-ComplianceSearch

次の表に、オペレーション「Stop-ComplianceSearch」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

New-ComplianceSearchAction

次の表に、オペレーション「New-ComplianceSearchAction」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-ComplianceSearchAction

次の表に、オペレーション「Remove-ComplianceSearchAction」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

New-ComplianceSecurityFilter

次の表に、オペレーション「New-ComplianceSecurityFilter」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-ComplianceSecurityFilter

次の表に、オペレーション「Remove-ComplianceSecurityFilter」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Set-ComplianceSecurityFilter

次の表に、オペレーション「Set-ComplianceSecurityFilter」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Add-eDiscoveryCaseAdmin

次の表に、オペレーション「Add-eDiscoveryCaseAdmin」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CREATION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Remove-eDiscoveryCaseAdmin

次の表に、オペレーション「Remove-eDiscoveryCaseAdmin」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_DELETION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.user.email_addresses target.user.userid
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

New-CaseHoldPolicy

次の表に、オペレーション「New-CaseHoldPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-AadProtectionLevel

次の表に、オペレーション「Get-AadProtectionLevel」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-AutoSensitivityLabelPolicy

次の表に、オペレーション「Get-AutoSensitivityLabelPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-DlpsensitiveInformationType

次の表に、オペレーション「Get-DlpsensitiveInformationType」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-Label

次の表に、オペレーション「Get-Label」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-LabelPolicy

次の表に、オペレーション「Get-LabelPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

Get-PolicyConfig

次の表に、オペレーション「Get-PolicyConfig」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
SecurityComplianceCenterEventType	about.labels.key/value
Version	metadata.product_version

ValidaterbacAccessCheck

次の表に、オペレーション「ValidaterbacAccessCheck」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
AadAppId	target.labels.key/value
DataType	security_result.description
RelativeUrl	target.url
ResultCount	target.labels.key/value
Version	metadata.product_version

ApplicableAdaptiveScopeChange

次の表に、オペレーション「ApplicableAdaptiveScopeChange」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.resource.product_object_id If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id
CorrelationId	security_result.detection_fields
ObjectType	security_result.summary

NewComplianceTag

次の表に、オペレーション「NewComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

NewRetentionComplianceRule

次の表に、オペレーション「NewRetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

NewRetentionCompliancePolicy

次の表に、オペレーション「NewRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_CREATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

RemoveComplianceTag

次の表に、オペレーション「RemoveComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

RemoveRetentionCompliancePolicy

次の表に、オペレーション「RemoveRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetComplianceTag

次の表に、オペレーション「SetComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetRetentionComplianceRule

次の表に、オペレーション「SetRetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

SetRetentionCompliancePolicy

次の表に、オペレーション「SetRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}

Get-CsTeamsUpgradeOverridePolicy

次の表に、オペレーション「Get-CsTeamsUpgradeOverridePolicy」とワークロード「SkypeForBusiness」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	metadata.product_version
Parameters	security_result.description If Name is Tenant then Value is mapped to tenate_value If Name is Identity then Vale is mapped to identity_value security_result.description is Tenant = {tenate_value} / Identity = {identity_value}
SkypeForBusinessEventType	about.labels.key/value
TenantName	target.resource.product_object_id
Version	metadata.product_version

TeamsAdminAction

次の表に、オペレーション「TeamsAdminAction」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_CHANGE_PERMISSIONS If ResultStatus is Succeeded then Action is set to ALLOW If ResultStatus is Failed then Action is set to BLOCK
AdminActionDetail	security_result.summary
ClientApplication	network.http.user_agent
ExtraProperties	additional.fields.key/value.string_value
UserClaims	security_result.description
Version	metadata.product_version

Update-DistributionGroupMember

次の表に、オペレーション「Update-DistributionGroupMember」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
ClientVersion	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.description target.group.product_object_id or target.group.email_addresses target.group.attribute.labels.key/value If Name is Members then Value is mapped to security_result.description If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
SessionId	network.session_id
Version	metadata.product_version

SupervisoryReviewOLAudit

次の表に、オペレーション「SupervisoryReviewOLAudit」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION extract auditscore form ResultStatus using ResultStatus .*?Score:{auditScore} and map with security_result.confidenece_details is {auditScore} security_result.confidence will map based on auditScore
LogonType	extensions.auth.mechanism
InternalLogonType	about.labels.key/value
MailboxGuid	target.labels.key/value
MailboxOwnerUPN	target.user.email_addresses or target.user.userid
MailboxOwnerSid	target.user.windows_sid
MailboxOwnerMasterAccountSid	target.labels.key/value
LogonUserSid	principal.user.windows_sid
LogonUserDisplayName	principal.user.user_display_name
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientInfoString	network.http.user_agent
ClientIPAddress	principal.ip and principal.port
ClientMachineName	principal.hostname
ClientProcessName	principal.process.file.full_path
ClientVersion	metadata.product_version
ExchangeDetails	network.direection network.email.from network.email.mail_id network.email.to network.email.subject If Directionality is Incoming then network.direction is mapped to INBOUND If Directionality is Outgoining then network.direction is mapped to OUTBOUND From is mapped to network.email.from InternetMessageId is mapped to network.email.mail_id Recipients is mapped to network.email.to Subject is mapped to network.email.subject
Version	metadata.product_version

CrmDefaultActivity

次の表に、オペレーション「CrmDefaultActivity」とワークロード「CRM」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
CrmOrganizationUniqueName	principal.resource.name
InstanceUrl	target.url
ItemUrl	principal.labels.key/value
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
Fields	about.labels.key/value
EntityId	principal.labels.key/value
EntityName	principal.labels.key/value
Message	security_result.summary
Query	security_result.description
PrimaryFieldValue	about.labels.key/value
CorrelationId	security_result.detection_fields.key/value.
QueryResults	about.labels.key/value
ServiceContextId	principal.labels.key/value
ServiceContextIdType	about.labels.key/value
ServiceName	principal.application
SystemUserId	principal.labels.key/value
Version	metadata.product_version

TIMailData

次の表に、オペレーション「TIMailData」とワークロード「ThreatIntelligence」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to EMAIL_TRANSACTION ObjectId is set to metadata.product_log_id
AttachmentData	about.file.full_path about.file.mime_type about.file.sha256 security_result.category_details AttachmentData.FileName is mapped to about.file.full_path AttachmentData.FileType is mapped to about.file.mime_type AttachmentData.SHA256 is mapped to about.file.sha256 AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details
DetectionType	security_result.summary
DetectionMethod	security_result.description
InternetMessageId	about.labels.key/value
NetworkMessageId	about.labels.key/value
P1Sender	principal.user.email_addresses
P2Sender	network.email.from
Policy	security_result.rule_name
PolicyAction	security_result.action PolicyAction is Quarantine then action is set to QUARANTINE PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION
Recipients	network.email.to
SenderIp	src.ip
Subject	network.email.subject
Verdict	security_result.category
MessageTime	target.resource.attribute.labels.key/value
EventDeepLink	metadata.url_back_to_product
DeliveryAction	about.labels.key/value
OriginalDeliveryLocation	about.labels.key/value
LatestDeliveryLocation	about.labels.key/value
Directionality	network.direction
ThreatsAndDetectionTech	about.labels.key/value
AdditionalActionsAndResults	about.labels.key/value
Connectors	about.labels.key/value
AuthDetails	about.labels.key/value
PhishConfidenceLevel	about.labels.key/value
Version	metadata.product_version

SearchMtpStatus

次の表に、オペレーション「SearchMtpStatus」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
AadAppId	target.labels.key/value
DataType	target.labels.key/value
Version	metadata.product_version
RelativeUrl	target.url
ResultCount	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value

RemovedFromSiteCollection

次の表に、オペレーション「RemovedFromSiteCollection」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
TargetUserOrGroupType	target.group.group_display_name target.user.userid target.user.email_addresses
WebId	about.labels.key/value
CorrelationId	security_result.detection_fields.key/value.
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ApplicationDisplayName	target.application

CommentsDisabled

次の表に、オペレーション「CommentsDisabled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
SourceRelativeUrl	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SiteUrl	network.http.referral_url
SourceFileExtension	target.file.mime_type
WebId	about.labels.key/value
UserAgent	network.http.user_agent
ListItemUniqueId	principal.asset_id
ListId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application

FileRecycled

次の表に、オペレーション「FileRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	target.file.mime_type
UserSharedWith	target.labels.key/value
SharingType	target.labels.key/value
CorrelationId	security_result.detection_fields.key/value.
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
ApplicationDisplayName	target.application
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value

CommentsEnabled

次の表に、オペレーション「CommentsEnabled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SourceFileExtension	target.file.mime_type
SiteUrl	network.http.referral_url
SourceFileName	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	if ObjectId field is not present in log then target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
ApplicationDisplayName	target.application

FolderRecycled

次の表に、オペレーション「FolderRecycled」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_DELETION ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListItemUniqueId	principal.asset_id
ListId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	target.file.mime_type
UserSharedWith	target.labels.key/value
SharingType	target.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
CorrelationId	security_result.detection_fields.key/value.
WebId	about.labels.key/value

FileTranscriptRequested

次の表に、オペレーション「FileTranscriptRequested」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListItemUniqueId	principal.asset_id
ListId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	target.file.mime_type
UserSharedWith	target.labels.key/value
SharingType	target.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
CorrelationId	security_result.detection_fields.key/value.
WebId	about.labels.key/value

WACTokenShared

次の表は、オペレーション「WACTokenShared」とワークロード「SharePoint/OneDrive」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
ListItemUniqueId	principal.asset_id
ListId	security_result.detection_fields.key/value
ApplicationDisplayName	target.application
SiteUrl	network.http.referral_url
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension	target.file.mime_type
UserSharedWith	target.labels.key/value
SharingType	target.labels.key/value
SensitivityLabelOwnerEmail	security_result.detection_fields.key/value
SensitivityLabelId	security_result.detection_fields.key/value
CorrelationId	security_result.detection_fields.key/value.
WebId	about.labels.key/value

ラベルを更新する

次の表に、オペレーション「ラベルを更新する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

SiteLocksChanged

次の表は、オペレーション「SiteLocksUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

SiteIBModeSet

次の表は、オペレーション「SiteIBModeSet」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED target.resource.resource_type is set to SETTING ObjectId is mapped to target.url If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
ModifiedProperties	target.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

SiteDesignInvoked

次の表は、オペレーション「SiteDesignInvoked」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
EventData	target.resource.attribute.labels.key/value SiteDesignId is mapped to target.resource.attribute.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

SiteContentTypeCreated

次の表は、オペレーション「SiteContentTypeCreated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
ListTitle	about.labels.key/value
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

SiteCollectionQuotaModified

次の表は、オペレーション「SiteCollectionQuotaModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING ObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
Site	target.labels.key/value
UserAgent	network.http.user_agent
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

ShortcutAdded

次の表に、オペレーション「ShortcutAdded」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
EventSource	principal.application
ItemType	target.resource.attribute.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
Site	target.labels.key/value
UserAgent	network.http.user_agent
WebId	about.labels.key/value
SourceFileExtension	target.file.mime_type
SiteUrl	network.http.referral_url
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceName	principal.labels.key/value
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id

SPOIBIsEnabled

次のテーブルに、オペレーション「SPOIBIsEnabled」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.

WebAccessRequestApproverModified

次の表に、オペレーション「WebAccessRequestApproverModified」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
ModifiedProperties	target.labels.key/value if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value

Set-TransportConfig

次の表に、オペレーション「Set-TransportConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
AppId	target.labels.key/value
Parameters	principal.user.email_addresses principal.user.userid If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid

Set-TenantObjectVersion

次の表に、オペレーション「Set-TenantObjectVersion」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value If Name is DomainController then Value is mapped to target.administrative_domain else target.labels.key/value

Set-RecipientEnforcementProvisioningPolicy

次の表に、オペレーション「Set-RecipientEnforcementProvisioningPolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Set-PolicyConfig

次の表に、オペレーション「Set-PolicyConfig」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT target.resource.resource_type is set to ACCESS_POLICY
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Set-OwaMailboxPolicy

次のテーブルに、オペレーション「Set-OwaMailboxPolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Set-MailboxPlan

次の表に、オペレーション「Set-MailboxPlan」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Set-LabelProperties

次の表に、オペレーション「Set-LabelProperties」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value
SessionId	network.session_id

Set-Label

次の表に、オペレーション「Set-Label」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. target.resource.resource_type is set to SETTING
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.labels.key/value
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Set-ExchangeAssistanceConfig

次の表に、オペレーション「Set-ExchangeAssistanceConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.url target.labels.key/value If Name is PrivacyStatementURL then Value is mapped to target.url else target.labels.key/value

Set-ConditionalAccessPolicy

次の表に、オペレーション「Set-ConditionalAccessPolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.resource.name target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value
SessionID	network.session_id

New-ConditionalAccessPolicy

次の表に、オペレーション「New-ConditionalAccessPolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.resource.name target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value
SessionID	network.session_id

RemovedSearchReport

次の表に、オペレーション「RemovedSearchReport」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

Get-PrivacyManagementPolicy

次の表に、オペレーション「Get-privacyManagementPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line

Set-RetentionCompliancePolicy

次の表に、オペレーション「Set-RetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
Parameters	target.process.command_line

SearchTrialOffer

次の表に、オペレーション「SearchTrialOffer」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchTIKustoClusterInformation

次の表に、オペレーション「SearchTIKustoClusterInformation」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchMtpRoleInfo

次の表に、オペレーション「SearchMtpRoleInfo」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchMailflowForwardingData

次の表に、オペレーション「SearchMailflowForwardingData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchDataInsightsSubscription

次の表に、オペレーション「SearchDataInsightsSubscription」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchCustomerInsight

次の表に、オペレーション「SearchCustomerInsight」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchConnectorReportData

次の表に、オペレーション「SearchConnectorReportData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchAlertAggregate

次の表に、オペレーション「SearchAlertAggregate」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchAlert

次の表に、オペレーション「SearchAlert」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Enable-AddressListPaging

次の表に、オペレーション「Enable-AddressListPaging」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Install-AdminAuditLogConfig

次の表に、オペレーション「Install-AdminAuditLogConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

AccessedAggregates

次の表に、オペレーション「AccessedAggregates」とワークロード「Mip」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
DataType	security_result.description
version	metadata.product_version

AccessedSiteList

次の表は、オペレーション「AccessedSiteList」とワークロード「Mip」のログフィールドと対応する UDM のマッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
DataType	security_result.description
version	metadata.product_version

Install-DataClassificationConfig

次の表に、オペレーション「Install-DataClassificationConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Set-UnifiedGroup

次の表に、オペレーション「Set-UnifiedGroup」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. if ResultStatus is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	network.application_protocol target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses
SessionId	network.session_id

ApplicableAdaptivePolicyChange

次の表に、オペレーション「ApplicableAdaptivePolicyChange」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	security_result.detection_fields.key/value. target.resource.product_object_id if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value. if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id
ObjectType	security_result.summary

Get-AppRetentionComplianceRule

次の表に、オペレーション「Get-AppRetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{:target_resource_product_object_id}\ } }

New-AppRetentionComplianceRule

次の表に、オペレーション「New-AppRetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId	principal.labels.key/value
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.resource.name target.resource.product_object_id Extract Policy and Name using grok Name is mapped to target.resource.name Policy is mapped to target.resource.product_object_id
StartTime	target.resource.attribute.creation_time

New-AppRetentionCompliancePolicy

次の表に、オペレーション「New-AppRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId	principal.labels.key/value
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
StartTime	target.resource.attribute.creation_time

Set-AppRetentionCompliancePolicy

次の表に、オペレーション「Set-AppRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
StartTime	target.resource.attribute.creation_time

Install-DefaultSharingPolicy

次の表は、オペレーション「Install-DefaultSharingPolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

Install-ResourceConfig

次の表に、オペレーション「Install-ResourceConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

New-Mailbox

次の表に、オペレーション「New-Mailbox」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value
SessionId	network.session_id

Add-MailboxFolderPermission

次の表に、オペレーション「Add-MailboxFolderPermission」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.resource.name target.user.user_display_name target.user.attribute.permissions.name target.labels.key/value If Name is Identity then Value is mapped to target.resource.name If Name is User then Value is mapped to target.user.user_display_name If Name is AccessRights then Value is mapped to target.user.attribute.permissions.name else target.labels.key/value

New-LabelPolicy

次の表に、オペレーション「New-LabelPolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to ACCESS_POLICY
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

New-Label

次の表に、オペレーション「New-Label」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.resource.name
StartTime	target.resource.attribute.creation_time
UserServicePlan	principal.labels.key/value

Get-ActivityAlert

次の表に、オペレーション「Get-ActivityAlert」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-ProtectionAlert

次の表に、オペレーション「Get-ProtectionAlert」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

SearchComplianceCase

次の表に、オペレーション「SearchComplianceCase」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	about.labels.key/value
UserServicePlan	principal.labels.key/value
version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Remove-ComplianceTag

次の表に、オペレーション「Remove-ComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Remove-AppRetentionCompliancePolicy

次の表に、オペレーション「Remove-AppRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource_resource_type is set to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Remove-RetentionCompliancePolicy

次の表に、オペレーション「Remove-RetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource_resource_type is set to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

New-ComplianceTag

次の表に、オペレーション「New-ComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Enable-ComplianceTagStorage

次の表に、オペレーション「Enable-ComplianceTagStorage」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-ComplianceRetentionEventType

次の表に、オペレーション「Get-ComplianceRetentionEventType」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

AggregateActivityData

次の表に、オペレーション「AggregateActivityData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	about.labels.key/value
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Set-ComplianceTag

次の表に、オペレーション「Set-ComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-FilePlanPropertyStructure

次の表に、オペレーション「Get-FilePlanPropertyStructure」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

New-ComplianceRetentionEventType

次の表に、オペレーション「New-ComplianceRetentionEventType」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is mapped to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line target.resource.name target_resource_name is mapped to target.resource.name
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-DlpSensitiveInformationTypeRulePackage

次の表に、オペレーション「Get-DlpsensitiveInformationTypeRulePackage」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-ComplianceRetentionEvent

次の表に、オペレーション「Get-ComplianceRetentionEvent」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

ComplianceSecurityFilter

次の表に、オペレーション「ComplianceSecurityFilter」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-QuarantineMessage

次の表に、オペレーション「Get-QuarantineMessage」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

AggregateThreatProfileDetails

次の表に、オペレーション「AggregateThreatProfileDetails」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	about.labels.key/value
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Get-DlpDetectionsReport

次の表に、オペレーション「Get-DlpDetectionsReport」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
ClientApplication	principal.application
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
Parameters	target.process.command_line
UserServicePlan	principal.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-AppRetentionCompliancePolicy

次の表に、オペレーション「Get-AppRetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Add-RoleGroupMember

次の表に、オペレーション「Add-RoleGroupMember」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
SessionId	network.session_id

Update-RoleGroupMember

次の表に、オペレーション「Update-RoleGroupMember」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientVersion	metadata.product_version
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
SessionId	network.session_id

New-RoleGroup

次の表に、オペレーション「New-RoleGroup」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	metadata.product_version
AppId	target.labels.key/value
SessionId	network.session_id
ClientAppId	target.labels.key/value

Provision-ComplianceMailboxFolder

次の表に、オペレーション「Provision-ComplianceMailboxFolder」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientVersion	metadata.product_version
version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	target.resource.product_object_id target.labels.key/value need to discuss mapping of MultiStageReviewFolderSetting in parameter fields If Name is FolderName then Value is mapped to target.resource_product_object_id else target.labels.key/value

Remove-Mailbox

次の表に、オペレーション「Remove-Mailbox」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientVersion	metadata.product_version
version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	target.resource.name target.labels.key/value If Name is Identity then Value is mapped to target.resource.name else target.labels.key/value

New-QuarantinePolicy

次の表に、オペレーション「New-QuarantinePolicy」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
ClientVersion	metadata.product_version
version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	target.resource.name target.labels.key/value If Name is Name then Value is mapped to target.resource.name All other parameters will map with target.labels.key/value
SessionId	network.session_id

Get-RoleGroup

次の表に、オペレーション「Get-RoleGroup」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK }
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

SearchLabelAnalyticsActivityData

次の表に、オペレーション「SearchLabelAnalyticsActivityData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	about.labels.key/value
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Get-DlpCompliancePolicy

次の表に、オペレーション「Get-DlpCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
UserServicePlan	principal.labels.key/value

SearchSecurityRedirection

次の表に、オペレーション「SearchSecurityRedirection」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	about.labels.key/value
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Get-ComplianceCaseMember

次の表に、オペレーション「Get-ComplianceCaseMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

HoldViewed

次の表に、オペレーション「HoldViewed」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.category_details
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

Get-eDiscoveryCaseAdmin

次の表に、オペレーション「Get-eDiscoveryCaseAdmin」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-RoleGroupMember

次の表に、オペレーション「Get-RoleGroupMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-ManagementRole

次の表に、オペレーション「Get-ManagementRole」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Set-RoleGroup

次の表に、オペレーション「Set-RoleGroup」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.group.group_display_name target.process.command_line Extract DisplayName using grok Name is mapped totarget.group.group_display_name
Version	metadata.product_version
ResultCountSecurityComplianceCenterEventType	about.labels.key/value

Get-SecurityPrincipal

次の表に、オペレーション「Get-SecurityPrincipal」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-CaseHoldRule

次の表に、オペレーション「Get-CaseHoldRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

ViewedSearchReport

次の表に、オペレーション「ViewedSearchReport」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	principal.process.command_line If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	metadata.product_version
Case	metadata.description
ExchangeLocations	security_result.summary
ExtendedProperties	target.resource.product_object_id about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value
ObjectType	security_result.summary
PublicFolderLocations	security_result.category_details
Query	security_result.description
SharepointLocations	security_result.category_details

Get-AdaptiveScope

次の表に、オペレーション「Get-AdaptiveScope」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-RetentionCompliancePolicy

次の表に、オペレーション「Get-RetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS target.resource.resource_type is set to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

New-RetentionCompliancePolicy

次の表に、オペレーション「New-RetentionCompliancePolicy」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION target.resource.resource_type is set to ACCESS_POLICY
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

New-RetentionComplianceRule

次の表に、オペレーション「New-RetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-ComplianceTag

次の表に、オペレーション「Get-ComplianceTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Set-RetentionComplianceRule

次の表に、オペレーション「Set-RetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-RegulatoryComplianceUI

次の表に、オペレーション「Get-RegulatoryComplianceUI」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-RetentionComplianceRule

次の表に、オペレーション「Get-RetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } }
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

New-AdaptiveScope

次の表に、オペレーション「New-AdaptiveScope」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.resource.name target.process.command_line Extract Name using grok Name is mapped to target.resource.name
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Enable-AdaptiveScopeStorage

次の表に、オペレーション「Enable-AdaptiveScopeStorage」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

SearchCustomTag

次の表に、オペレーション「SearchCustomTag」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	about.labels.key/value
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Set-RegulatoryComplianceUI

次の表に、オペレーション「Set-RegulatoryComplianceUI」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	target.process.command_line
Version	metadata.product_version

RemoveRetentionComplianceRule

次の表に、オペレーション「RemoveRetentionComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} The name and value for the parameters that were used with the corresponding cmdlet.
Version	metadata.product_version
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value
ObjectType	security_result.summary

NewAdaptiveScope

次の表に、オペレーション「NewAdaptiveScope」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Parameters	principal.process.command_line The name and value for the parameters that were used with the corresponding cmdlet. If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args}
Version	metadata.product_version
ObjectType	security_result.summary
ExtendedProperties	target.user.user_display_name target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

CommentCreated

次の表に、オペレーション「CommentCreated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
WebId	about.labels.key/value
SourceFileExtension	target.file.mime_type
SiteUrl	network.http.referral_url
SourceFileName	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl	target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
CommentId	about.labels.key/value

DeviceAccessPolicyChanged

次のテーブルに、オペレーション「DeviceAccessPolicyChanged」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	metadata.product_version
CorrelationId	security_result.detection_fields.key/value.
ModifiedProperties	target.labels.key/value

HeartBeat

次の表に、オペレーション「HeartBeat」とワークロード「Aip」のログフィールドと対応する UDM マッピングを示します。

Log field

UDM mapping

metadata.event_type is mapped to USER_RESOURCE_CREATION

Common

target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

Version

metadata.product_version

MessageCreation

次の表に、オペレーション「MessageCreation」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version
MessageID	target.resource.product_object_id

ThreadViewed

次の表に、オペレーション「ThreadViewed」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version
ThreadID	about.labels.key/value

StreamEditAdminGlobalRoleMembers

次の表に、オペレーション「StreamEditAdminGlobalRoleMembers」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeGetTextTrack

次の表に、オペレーション「StreamInvokeGetTextTrack」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeChannelView

次の表に、オペレーション「StreamInvokeChannelView」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeVideoMakePublic

次の表に、オペレーション「StreamInvokeVideoMakePublic」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

StreamInvokeGroupView

次の表に、オペレーション「StreamInvokeGroupView」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

Set-CsOnlineDirectoryTenant

次の表に、オペレーション「Set-CsOnlineDirectoryTenant」とワークロード「SkypeForBusiness」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	metadata.product_version
Parameters	target.labels.key/value
SkypeForBusinessEventType	about.labels.key/value
TenantName	target.resource.product_object_id
Version	metadata.product_version

Set-CsHostedVoicemailPolicy

次の表に、オペレーション「Set-CsHostedVoicemailPolicy」とワークロード「SkypeForBusiness」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	metadata.product_version
Parameters	target.administrative_domain target.url target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain If Name is Destination then Value is mapped to target.url else target.labels.key/value
SkypeForBusinessEventType	about.labels.key/value
TenantName	target.resource.product_object_id
Version	metadata.product_version

Get-CSSimpleUrlConfiguration

次の表に、オペレーション「Get-CSSimpleUrlConfiguration」とワークロード「SkypeForBusiness」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion	metadata.product_version
Parameters	target.administrative_domain target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain else target.labels.key/value
SkypeForBusinessEventType	about.labels.key/value
TenantName	target.resource.product_object_id
Version	metadata.product_version

New-ExchangeAssistanceConfig

次の表に、オペレーション「New-ExchangeAssistanceConfig」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value

New-App

次の表に、オペレーション「New-App」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.labels.key/value
SessionId	network.session_id

PublishToWebReport

次の表に、オペレーション「PublishToWebReport」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
ReportName	target.resource.name
WorkspaceId	target.resource.attribute.labels.key/value
DatasetId	target.resource.attribute.labels.key/value
ReportId	target.resource.product_object_id
ReportType	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
UserAgent	network.http.user_agent
DistributionMethod	about.labels.key/value

UpdateGateway

次の表に、オペレーション「UpdateGateway」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
SwitchState	about.labels.key/value
WorkSpaceName	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value
RequestId	about.labels.key/value
GatewayId	target.resource.product_object_id

ShareDataset

次の表に、オペレーション「ShareDataset」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.attribute.labels.key/value
WorkspaceId	target.resource.attribute.labels.key/value
ArtifactId	target.resource.product_object_id
ArtifactName	target.resource.name
RequestId	about.labels.key/value
ActivityId	principal.labels.key/value
UserAgent	network.http.user_agent
SharingAction	about.labels.key/value

GetRefreshablesAsAdmin

次の表に、オペレーション「GetRefreshablesAsAdmin」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.attribute.labels.key/value
RequestId	about.labels.key/value
UserAgent	network.http.user_agent
ActivityId	principal.labels.key/value

CreateTagJob

次の表に、オペレーション「CreateTagJob」とワークロード「Compliance」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
CaseID	target.resource.product_object_id
CaseName	target.resource.name
EndTime	target.resource.attribute.last_update_time
ExtendedProperties	target.resource.attribute.labels.key/value
StartTime	target.resource.attribute.creation_time

代理権限付与を追加する

次の表に、オペレーション Add delegated permission grant とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`target.resource.product_object_id` `target.resource.name` `security_result.summary` If `Name` is `ServicePrincipal.ObjectId` then `NewValue` is mapped to `target.resource.product_object_id` If `Name` is `ServicePrincipal.DisplayName` then `NewValue` is mapped to `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `DelegatedPermissionGrant.Scope` then `NewValue` and `OldValue` is mapped to `target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value` If `Type` is 5 then `ID` is mapped to `target.uset.userid` or `target.user.email_addresses`
TargetContextId	`target.labels.key/value`

サービスプリンシパルへのアプリロールの割り当てを追加する

次のテーブルに、オペレーション「サービスプリンシパルへのアプリロールの割り当てを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summary If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

アプリケーションに対して更新する

次の表に、オペレーション「アプリケーションに対して更新する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

アプリケーションを更新する - 証明書とシークレット管理

次の表に、オペレーション Update application – Certificates and secrets management とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT` if `ObjectId` has unique field in the log then and then only it will be mapped.
Version	`metadata.product_version`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`security_result.summary` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `RequiredResourceAccess` then `New Value` and `Old Value` is mapped with `target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid` or `target.user.email_addresses` `security_result.detection_fields.key/value`
TargetContextId	`target.labels.key/value`

アプリケーションにオーナーを追加する

次の表に、オペレーション「アプリケーションにオーナーを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Application.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.labels.key/value
TargetContextId	target.labels.key/value

アプリケーションに追加する

次の表に、オペレーション「アプリケーションに追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

デバイス構成を追加する

次の表に、オペレーション「デバイス構成を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

未確認のドメインを追加する

次の表に、オペレーション「未確認のドメインを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.name security_result.summary If Name is Name then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

ポリシーを追加

次の表に、オペレーション「ポリシーを追加」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version	metadata.product_version
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.name security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	security_result.detection_fields.key/value
TargetContextId	target.labels.key/value

CreateResponse

次の表に、オペレーション「CreateResponse」とワークロード「MicrosoftForms」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

EditForm

次の表に、オペレーション「EditForm」とワークロード「MicrosoftForms」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

SubmitResponse

次の表に、オペレーション「SubmitResponse」とワークロード「MicrosoftForms」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

ViewResponses

次の表に、オペレーション「ViewResponses」とワークロード「MicrosoftForms」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

ViewRuntimeForm

次の表に、オペレーション「ViewRuntimeForm」とワークロード「MicrosoftForms」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

DeleteFlow

次の表に、オペレーション「DeleteFlow」とワークロード「MicrosoftForms」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION
FormsUserTypes	target.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

ListViewed

次の表に、オペレーション「ListViewed」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
ItemCount	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
TemplateTypeId	about.labels.key/value

ListColumnUpdated

次の表に、オペレーション「ListColumnUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value

ListContentTypeUpdated

次の表に、オペレーション「ListContentTypeUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value

ListItemDeleted

次の表は、オペレーション「ListItemDeleted」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListItemUniqueId	principal.asset_id
ListTitle	about.labels.key/value
WebId	about.labels.key/value

ListUpdated

次の表は、オペレーション「ListUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
TemplateTypeId	about.labels.key/value
ApplicationDisplayName	target.application
ItemCount	target.labels.key/value

ListItemCreated

次の表に、オペレーション「ListItemCreated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
TemplateTypeId	about.labels.key/value
ItemCount	target.labels.key/value

ListColumnCreated

次の表に、オペレーション「ListColumnCreated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
TemplateTypeId	about.labels.key/value
ItemCount	target.labels.key/value

SiteContentTypeUpdated

次の表は、オペレーション「SiteContentTypeUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value

ListItemViewed

次の表に、オペレーション「ListItemViewed」とワークロード「SharePoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
ItemCount	target.labels.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
ListItemUniqueId	principal.asset_id

ListItemUpdated

次の表は、オペレーション「ListItemUpdated」とワークロード「SharePoint」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT ObjectId is mapped to target.url
Site	target.labels.key/value
ItemType	target.resource.attribute.labels.key/value
EventSource	principal.application
SourceName	principal.labels.key/value
UserAgent	network.http.user_agent
MachineDomainInfo	target.asset.attribute.labels.key/value
MachineId	target.asset.product_object_id
Version	medata.product_version
CorrelationId	security_result.detection_fields.key/value
ListId	security_result.detection_fields.key/value
ListTitle	about.labels.key/value
WebId	about.labels.key/value
target.file.size	target.labels.key/value
ListBaseTemplateType	target.labels.key/value
ListBaseType	target.labels.key/value
ListColor	target.labels.key/value
ListIcon	target.labels.key/value
ListItemUniqueId	principal.asset_id

FileRenamed

次の表に、オペレーション「FileRenamed」とワークロード「Endpoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_MOVE
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileType	target.resource.attribute.labels.key/value
PreviousFileName	src.file.full_path
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path

UpdatePowerApp

次の表に、オペレーション「UpdatePowerApp」とワークロード「PowerApps」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
AppName	target.labels.key/value
Id	metadata.product_log_id

SubscribedToMessages

次の表に、オペレーション「SubscribedToMessages」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
ExtraProperties	additional.fields.key/value.string_value
SubscriptionId	target.resource.attribute.labels.key/value
OperationScope	about.labels.key/value
Version	metadata.product_version

MessageCreatedNotification

次の表に、オペレーション「MessageCreatedNotification」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageId	target.resource.product_object_id
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
MessageVersion	target.resource.attribute.labels.key/value
SubscriptionId	target.resource.attribute.labels.key/value
ChatThreadId	target.user.group_identifiers target.group.product_object_id
OperationScope	about.labels.key/value
Version	metadata.product_version

MessageUpdatedNotification

次の表に、オペレーション「MessageUpdatedNotification」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageId	target.resource.product_object_id
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
MessageVersion	target.resource.attribute.labels.key/value
SubscriptionId	target.resource.attribute.labels.key/value
ChatThreadId	target.user.group_identifiers target.group.product_object_id
OperationScope	about.labels.key/value
Version	metadata.product_version

MessageCreatedHasLink

次の表に、オペレーション「MessageCreatedHasLink」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
MessageId	target.resource.product_object_id
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
SubscriptionId	target.resource.attribute.labels.key/value
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	about.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
MessageVersion	target.resource.attribute.labels.key/value
OperationScope	about.labels.key/value
Version	metadata.product_version

MessagesListed

次の表に、オペレーション「MessagesListed」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
ChannelGuid	target.resource.product_object_id
AADGroupId	target.labels.key/value
CommunicationType	about.labels.key/value
OperationScope	about.labels.key/value
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version

PerformedCardAction

次の表に、オペレーション「PerformedCardAction」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
AddOnGuid	target.labels.key/value
AddOnName	target.labels.key/value
AddOnType	target.labels.key/value
ChannelGuid	target.resource.product_object_id
ChannelName	target.resource.name
ChannelType	target.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
CommunicationType	about.labels.key/value
TeamGuid	target.user.group_identifiers and target.group.product_object_id
TeamName	target.group.group_display_name
Version	metadata.product_version

MessageEditedHasLink

次の表に、オペレーション「MessageEditedHasLink」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
MessageId	target.resource.product_object_id
MessageURLs	target.resource.attribute.labels.key/value
MessageSizeInBytes	target.resource.attribute.labels.key/value
SubscriptionId	target.resource.attribute.labels.key/value
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	about.labels.key/value
ExtraProperties	additional.fields.key/value.string_value
MessageVersion	target.resource.attribute.labels.key/value
OperationScope	about.labels.key/value
Version	metadata.product_version

MeetingParticipantDetail

次の表に、オペレーション「MeetingParticipantDetail」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Attendees	about.resource.product_object_id about.user.product_object_id about.user.attribute.roles.name OrganizationId is mapped to about.resource.product_object_id Role is mapped to about.user.attribute.roles.name UserObjectId is set to about.user.product_object_id
ExtraProperties	additional.fields.key/value.string_value
JoinTime	target.resource.attribute.creation_time
LeaveTime	target.resource.attribute.last_update_time
MeetingDetailId	target.resource.product_object_id
Version	metadata.product_version

MeetingDetail

次の表に、オペレーション「MeetingDetail」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
StartTime	target.resource.attribute.creation_time
EndTime	target.resource.attribute.last_update_time
ExtraProperties	additional.fields.key/value.string_value
MeetingURL	target.url
MessageId	target.resource.product_object_id
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	about.labels.key/value
Modalities	security_result.summary
Organizer	principal.user.product_object_id
Version	metadata.product_version

MessageUpdated

次の表に、オペレーション「MessageUpdated」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ExtraProperties	additional.fields.key/value.string_value
MessageVersion	target.resource.attribute.labels.key/value
MessageId	target.resource.product_object_id
ChatThreadId	target.user.group_identifiers target.group.product_object_id
CommunicationType	about.labels.key/value
Version	metadata.product_version

AggregateTransportQueueData

次の表に、オペレーション「AggregateTransportQueueData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AuthorizeCustomerInsight

次の表に、オペレーション「AuthorizeCustomerInsight」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AuthorizeConnectorReportData

次の表に、オペレーション「AuthorizeConnectorReportData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchAlertOverride

次の表に、オペレーション「SearchAlertOverride」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AuthorizeMailflowForwardingData

次の表に、オペレーション「AuthorizeMailflowForwardingData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchDomainTrafficStatus

次の表に、オペレーション「SearchDomainTrafficStatus」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchAlertActivity

次の表に、オペレーション「SearchAlertActivity」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AggregateMailmetadata

次の表に、オペレーション「AggregateMailmetadata」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

InsightGenerated

次の表に、オペレーション「InsightGenerated」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
Category	security_result.category_details
Description	security_result.description
InsightId	target.resource.product_object_id
Name	target.resource.name
Version	metadata.product_version

UserSubmission

次の表に、オペレーション「UserSubmission」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCAN_UNCATEGORIZED security_result.category is MAIL_SPAM
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
ClientApplication	principal.application
KesMailId	network.email.mail_id
ExtendedProperties	security_result.rule_name security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details
P1SenderDomain	principal.administrative_domain
Recipients	network.email.to
SenderIP	principal.ip
Subject	network.email.subject
P2Sender	network.email.from
SubmissionState	security_result.summary
P1Sender	principal.user.email_addresses
Version	metadata.product_version

SaveRoleGroupMember

次の表に、オペレーション「SaveRoleGroupMember」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AggregateCampaignIntelligenceData

次の表に、オペレーション「AggregateCampaignIntelligenceData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchEmailTimelineEvents

次の表に、オペレーション「SearchEmailTimelineEvents」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

SearchAlertStory

次の表に、オペレーション「SearchAlertStory」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

AggregateThreatDetailsBulk

次の表に、オペレーション「AggregateThreatDetailsBulk」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

Get-User

次の表に、オペレーション「Get-User」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	principal.application
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

Get-DlpComplianceRule

次の表に、オペレーション「Get-DlpComplianceRule」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	principal.application
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value

AnalyzedByExternalApplication

次の表に、オペレーション「AnalyzedByExternalApplication」とワークロード「Power BI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to RESOURCE_READ
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.name
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.attribute.labels.key/value
SwitchState	about.labels.key/value
ActivityId	principal.labels.key/value
UserAgent	network.http.user_agent
RequestId	about.labels.key/value

New-MigrationBatch

次の表に、オペレーション「New-MigrationBatch」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.resource.name target.administrative_domain target.resource.attribute.key/value If Name is Name then Value is mapped to target.resource.name if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain If Name is AutoStart then Value is mapped to target.resource.attribute.key/value If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value
SessionId	network.session_id

UserSubmissionTriage

次の表に、オペレーション「UserSubmissionTriage」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SCAN_UNCATEGORIZED security_result.category is set to MAIL_SPAM
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	about.labels.key/value
ClientApplication	principal.application
Version	metadata.product_version
ExtendedProperties	security_result.rule_name security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details
GradingResult	security_result.category_details
KesMailId	network.email.mail_id
P1Sender	principal.user.email_addresses
P1SenderDomain	principal.administrative_domain
P2Sender	network.email.from
Recipients	network.email.to
SenderIP	principal.ip
Subject	network.email.subject
SubmissionState	security_result.summary

FileArchived

次の表に、オペレーション「FileArchived」とワークロード「Endpoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

FileCreatedOnNetworkShare

次の表に、オペレーション「FileCreatedOnNetworkShare」とワークロード「Endpoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATION
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

FileCreatedOnRemovableMedia

次の表に、オペレーション「FileCreatedOnRemovableMedia」とワークロード「Endpoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_CREATION
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

SlimFilePrinted

次の表は、ログフィールドと、オペレーション「SlimFilePrinted」とワークロード「Endpoint」に対応する UDM のマッピングを示しています。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE target.asset.type is PRINTER
Application	target.application
DeviceName	target.hostname
FileType	target.resource.attribute.labels.key/value
TargetPrinterName	target.asset.hostname
Version	metadata.product_version

FilePrinted

次の表に、オペレーション「FilePrinted」とワークロード「Endpoint」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE target.asset.type is PRINTER
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetPrinterName	target.asset.hostname
Version	metadata.product_version
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
PreviousFileName	src.file.full_path
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

ArchiveCreated

次の表に、オペレーション「ArchiveCreated」とワークロード「Endpoint」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

FileDownloadedFromBrowser

次の表に、オペレーション「FileDownloadedFromBrowser」とワークロード「Endpoint」のログフィールドとそれぞれ対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Application	target.application
DestinationLocationType	target.labels.key/value
DeviceName	target.hostname
FileExtension	target.file.mime_type
FileSize	target.file.size
FileType	target.resource.attribute.labels.key/value
Sha1	target.file.sha1
Sha256	target.file.sha256
SourceLocationType	principal.labels.key/value
TargetFilePath	target.file.full_path
Version	metadata.product_version

ユーザーのアプリケーションパスワードを作成する

次の表に、オペレーション「ユーザーのアプリケーションパスワードを作成する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

SearchNdrDetailData

次の表に、オペレーション「SearchNdrDetailData」とワークロード「SecurityComplianceCenter」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GENERIC_EVENT
StartTime	target.resource.attribute.creation_time
ClientRequestId	principal.labels.key/value
CmdletVersion	metadata.product_version
EffectiveOrganization	target.administrative_domain
UserServicePlan	principal.labels.key/value
Parameters	target.process.command_line target.resource.product_object_id
ClientApplication	principal.application
Version	metadata.product_version
SecurityComplianceCenterEventType	about.labels.key/value
AadAppId	target.labels.key/value
DatabaseType	target.resource.attribute.labels.key/value
DataType	target.labels.key/value
RelativeUrl	target.url
ResultCount	target.labels.key/value

MessageUpdated

次の表に、オペレーション「MessageUpdated」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT If ResultStatus is TRUE then action is ALLOW else action is BLOCK
ActorUserId	principal.user.email_addresses or principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

アクセス

次の表に、オペレーション「Access」とワークロード「Aip」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is set to target.file.full_path
Common	target.resource.product_object_id target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version
DataState	security_result.summary
Version	metadata.product_version

検出

次の表に、オペレーション「Discover」とワークロード「Aip」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS ObjectId is set to target.file.full_path
Common	target.resource.product_object_id target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version
DataState	security_result.summary
Version	metadata.product_version

TIUrlClickData

次の表に、オペレーション「TIUrlClickData」とワークロード「ThreatIntelligence」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
AppName	target.application
AppVersion	metadata.product_version
EventDeepLink	metadata.url_back_to_product
SourceId	AppName is Mail then SourceId is mapped to network.email.id
Url	target.url
UserIp	principal.ip
Version	metadata.product_version

デバイスが管理されなくなった

次の表に、オペレーション「デバイスが管理されなくなった」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_DELETION target.resource.resource_type is set to DEVICE
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.asset.product_object_id target.platform If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

AirInvestigationData

次の表に、オペレーション「AirInvestigationData」とワークロード「AirInvestigation」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
LastUpdateTimeUtc	target.resource.attribute.last_update_time
Status	security_result.summary
InvestigationId	target.resource.product_object_id
InvestigationType	target.resource.attribute.labels.key/value
Data	security_result.description security_result.category_details network.email.to network.email.from network.email.mail_id network.email.subject network.direction principal.ip principal.administrative_domain principal.user.email_addresses Data.Description is mapped to security_result.description Data.Category is mapped to security_result.category_details Data.Entities.1.Recipient is mapped to network.email.to Data.Entities.1.Sender is mapped to network.email.from Data.Entities.1.InternetMessageId is mapped to network.email.mail_id Data.Entities.1.Subject is mapped to network.email.subject Data.Entities.1.AntispamDirection is mapped to network.direction Data.Entities.1.SenderIP is mapped to principal.ip Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain Data.Entities.1.P1Sender is mapped to principal.user.email_addresses
InvestigationName	target.resource.name
StartTimeUtc	target.resource.attribute.creation_time
Version	metadata.product_versionn
DeepLinkUrl	metadata.url_back_to_product

Set-MailboxJunkEmailConfiguration

次の表は、オペレーション「Set-MailboxJunkEmailConfiguration」とワークロード「Exchange」のログフィールドと対応する UDM マッピングの一覧です。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
OriginatingServer	principal.hostname
OrganizationName	target.administrative_domain
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
Parameters	target.user.email_addresses If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated)
SessionId	network.session_id
Version	metadata.product_version

New-DistributionGroup

次の表に、オペレーション「New-DistributionGroup」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_CREATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Member then Value is mapped to security_result.description else target.group.attribute.labels.key/value
SessionId	network.session_id

Add-DistributionGroupMember

次の表に、オペレーション「Add-DistributionGroupMember」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.group.product_object_id or target.group.email_addresses target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid else target.group.attribute.labels.key/value
SessionId	network.session_id

Remove-InboxRule

次の表に、オペレーション「Remove-InboxRule」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_DELETION target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	security_result.rule_labels.key/value
SessionId	network.session_id

Enable-Mailbox

次の表に、オペレーション「Enable-Mailbox」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_CREATION
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value
SessionId	network.session_id

Import

次の表に、オペレーション「Import」とワークロード「PowerBI」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to FILE_UNCATEGORIZED
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	target.user.email_addresses target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	about.user.email_addresses about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.name
WorkspaceId	target.resource.product_object_id
SwitchState	about.labels.key/value
ImportSource	about.labels.key/value
ImportType	target.file.mime_type
ImportDisplayName	target.file.full_path

デバイスが準拠しなくなった

次の表に、オペレーション「デバイスが準拠しなくなった」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS target.resource.resource_type is set to DEVICE
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.platform target.resource.product_object_id If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

アカウントを有効にする

次の表に、オペレーション Enable account とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
ExtendedProperties	`network.http.user_agent` `target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `additionalDetails` then `extract User-Agent` is mapped to `network.http.user_agent` if `Name` is `extendedAuditEventCategory` then `target.resource.attribute.labels.key/value` else `about.labels.key/value`
ModifiedProperties	`security_result.summary` `target.resource.name` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` If `Name` is `Action Client Name` then `NewValue` is mapped to `target.resource.name` If `Name` is `HardDeleted` then `NewValue` and `OldValue` is mapped to `security_result.detection_fields.key/value` If `Name` is `GivenName` then `NewValue` and `OldValue` is mapped to `target.user.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
ActorContextId	`principal.labels.key/value`
ActorIpAddress	`principal.ip and principal.port`
InterSystemsId	`target.resource.attribute.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
SupportTicketId	`about.labels.key/value`
Target	`target.user.userid or target.user.email_addresses` If `Type` is 5 then `ID` is mapped to `target.user.userid` or `target.user.email_addresses` else `security_result.detection_fields.key/value`
version	`metadata.product_version`
TargetContextId	`target.labels.key/value`

サービスプリンシパル認証情報を追加する

次の表に、オペレーション「サービスプリンシパル認証情報を追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

Set-SyncUser

次の表に、オペレーション「Set-SyncUser」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid
SessionId	network.session_id

MessageSent

次の表に、オペレーション「MessageSent」とワークロード「MicrosoftTeams」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.
MessageSizeInBytes	target.resource.attribute.labels.key/value
ChannelGuid	target.labels.key/value
OperationScope	about.labels.key/value
TeamGuid	target.user.group_identifiers target.group.product_object_id
TeamName	target.group.group_display_name
AADGroupId	target.labels.key/value
CommunicationType	about.labels.key/value
MessageId	target.resource.product_object_id
Version	metadata.product_version
MessageVersion	target.resource.attribute.labels.key/value

サービスプリンシパルの認証情報を削除する

次の表に、オペレーション「サービスプリンシパルの認証情報を削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	security_result.summary target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

Remove-MoveRequest

次の表に、オペレーション「Remove-MoveRequest」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value

StreamInvokeGetTranscript

次の表に、オペレーション「StreamInvokeGetTranscript」とワークロード「MicrosoftStream」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId	principal.labels.key/value
EntityPath	metadata.url.back_to_product
OperationDetails	metadata.description
ResourceTitle	target.resource.name
ResourceUrl	target.url
Version	metadata.product_version

グループからオーナーを削除する

次の表に、グループ「グループからオーナーを削除する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_MODIFICATION
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.group.product_object_id target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

グループにアプリロールの割り当てを追加する

次の表に、オペレーション「グループにアプリロールの割り当てを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	target.resource.product_object_id target.resource.name target.group.group_display_name If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

Disable-MailUser

次の表に、オペレーション「Disable-MailUser」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_UNCATEGORIZED ResultStatus is True Action is set to BLOCK
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

New-FolderMoveRequest

次の表に、オペレーション「New-FolderMoveRequest」とワークロード「Exchange」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to STATUS_UPDATE
Version	metadata.product_version
AppId	target.labels.key/value
ClientAppId	target.labels.key/value
OrganizationName	target.administrative_domain
OriginatingServer	principal.hostname
Parameters	If Name is Name then Value is mapped to target.resource.name If Name is DomainController then Value is mapped to target.administrative_domain If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value

ポリシーにオーナーを追加する

次の表に、オペレーション「ポリシーにオーナーを追加する」とワークロード「AzureActiveDirectory」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType	target.resource.attribute.labels.key/value
ExtendedProperties	If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value
ModifiedProperties	If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id If Name is Policy.DisplayName then NewValue is mapped to target.resource.name
Actor	security_result.detection_fields.key/value
ActorContextId	principal.labels.key/value
ActorIpAddress	principal.ip and principal.port
InterSystemsId	target.resource.attribute.labels.key/value
IntraSystemId	target.resource.attribute.labels.key/value
SupportTicketId	about.labels.key/value
Target	target.user.userid or target.user.email_addresses If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value
version	metadata.product_version
TargetContextId	target.labels.key/value

EditContentProviderProperties

次の表に、オペレーション「EditContentProviderProperties」とワークロード「PowerBI」のログフィールドと対応する UDM のマッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to SETTING_MODIFICATION target.resource.resource_type is set to SETTING
AppName	target.labels.key/value
DashboardName	target.resource.attribute.labels.key/value
DataClassification	target.labels.key/value
DatasetName	target.resource.attribute.labels.key/value
OrgAppPermission	We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name
ReportName	target.resource.attribute.labels.key/value
SharingInformation	RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name
WorkSpaceName	target.resource.name
WorkspaceId	target.resource.product_object_id
SwitchState	about.labels.key/value
ContentProviderCertificationStage	security_result.summary
AppId	target.labels.key/value
RequestId	about.labels.key/value

ReportingAccessed

次の表に、オペレーション「ReportingAccessed」とワークロード「Project」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to USER_RESOURCE_ACCESS
ItemType	target.resource.attribute.labels.key/value
UserAgent	network.http.user_agent
CorrelationId	security_result.detection_fields.key/value
Entity	metadata.product_name
Version	metadata.product_version
Action	security_result.description
OnBehalfOfResId	about.labels.key/value

GroupAccessFailure

次の表に、オペレーション「SupervisorAdminToggled」とワークロード「Yammer」のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	metadata.event_type is mapped to GROUP_UNCATEGORIZED
ActorUserId	principal.user.email_addresses principal.user.userid
ActorYammerUserId	principal.labels.key/value
DataExportType	target.resource.attribute.labels.key/value
FileId	target.resource.product_object_id
FileName	target.file.full_path
GroupName	target.group.group_display_name
IsSoftDelete	security_result.description is set to IsSoftDelete - {IsSoftDelete}
MessageId	target.resource.product_object_id
YammerNetworkId	principal.labels.key/value
TargetUserId	target.user.email_addresses
TargetYammerUserId	target.labels.key/value
VersionId	about.labels.key/value
Version	metadata.product_version

FileSensitivityLabelChanged

次の表に、オペレーション FileSensitivityLabelChanged とワークロード SharePoint/OneDrive のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED` `ObjectId` is mapped to `target.file.full_path`
AppAccessContext.CorrelationId	`security_result.detection_fields.key/value`
CorrelationId	`security_result.detection_fields.key/value`
DestinationFileExtension	`target.file.mime_type`
DestinationFileName	`target.file.full_path` is set to `{DestinationRelativeUrl}/{DestinationFileName}`
DestinationRelativeUrl	`target.file.full_path` is set to `{DestinationRelativeUrl}/{DestinationFileName}`
DestinationLabel	`target.labels`
EventSource	`principal.application`
HighPriorityMediaProcessing	`about.labels`
IsManagedDevice	`about.labels`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`target.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
SensitivityLabelEventData.ActionSource	`principal.labels.key/value`
SensitivityLabelEventData.LabelEventType	`target.labels.key/value`
SensitivityLabelEventData.OldSensitivityLabelId	`target.resource.product_object_id`
SensitivityLabelEventData.OldSensitivityLabelOwnerEmail	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
Site	`target.labels.key/value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`src.file.mime_type`
SourceFileName	`src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}`
SourceRelativeUrl	`src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}`
SourceLabel	`src.labels.key/value`
UserAgent	`network.http.user_agent`
UserKey	`target.labels`
Version	`metadata.product_version`
WebId	`about.labels.key/value`

FileRead

次の表に、オペレーション FileRead とワークロード Endpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_READ` `ObjectId` is mapped to `target.url`
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels`
FileExtension	`target.file.mime_type`
FileSize	`target.file.size`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
PolicyMatchInfo	`target.resource.product_object_id` `security_result.summary` `security_result.rule_id` `security_result.rule_name` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name`
RMSEncrypted	`security_result.detection_fields.key/value`
SensitiveInfoTypeData	`security_result.detection_fields.key/value` `security_result.confidence_details`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
Sha1	`target.file.sha1`
Sha256	`target.file.sha256`
SourceLocationType	`principal.labels.key/value`

MessageReadReceiptReceived

次の表に、オペレーション MessageReadReceiptReceived とワークロード MicrosoftTeams のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`
ChatThreadId	`target.user.group_identifiers` `target.group.product_object_id`
CommunicationType	`about.labels.key/value`
MessageId	`target.resource.product_object_id`
MessageVersion	`target.resource.attribute.labels.key/value`
MessageVisibilityTime	`target.resource.attribute.labels.key/value`
ParticipantInfo.HasForeignTenantUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasOtherGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasUnauthenticatedUsers	`security_result.detection_fields.key/value`
ParticipantInfo.ParticipatingTenantIds	`security_result.detection_fields.key/value`

検索

次の表に、オペレーション Search とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UNCATEGORIZED`
AadAppId	`target.labels.key/value`
RelativeUrl	`target.url`
ResultCount	`target.labels.key/value`
Version	`metadata.product_version`
DataType	`security_result.description`

TaskDeleted

次の表に、オペレーション TaskDeleted とワークロード MicrosoftTodo のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_DELETION` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value`
TargetActorTenantId	`target.labels.key/value`

TaskUpdated

次の表に、オペレーション TaskUpdated とワークロード MicrosoftTodo のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value`
TargetActorTenantId	`target.labels.key/value`

TaskCreation

次の表に、オペレーション TaskCreation とワークロード MicrosoftTodo のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION` `target.resource.resource_type` is set to `TASK`
ActorAppId	`target.labels.key/value`
ItemId	`security_result.detection_fields.key/value`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value`
TargetActorTenantId	`target.labels.key/value`

SecurityGroupModified

次の表に、オペレーション SecurityGroupModified とワークロード Project のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `GROUP_MODIFICATION`
CorrelationId	`security_result.detection_fields.key/value`
Entity	`metadata.product_name`
EventSource	`principal.application`
ItemType	`target.resource.attribute.labels.key/value`
UserAgent	`network.http.user_agent`
UserKey	`target.labels`
Version	`metadata.product_version`
AppAccessContext.UniqueTokenId	`target.labels`
AppAccessContext.CorrelationId	`security_result.detection_fields.key/value`

LaunchPowerApp

次の表に、オペレーション LaunchPowerApp とワークロード PowerApps のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `GENERIC_EVENT`
AppName	`target.labels.key/value`
Version	`metadata.product_version`

DeleteDatasetRows

次の表に、オペレーション DeleteDatasetRows とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_DELETION`. If `ResultStatus` is TRUE then `Action` is set to `ALLOW` and `security_result.summary` is set to `DataSetRow deletion successful` else `Action` is set to `BLOCK` and `security_result.summary` is set to `DataSetRow deletion failed`.
UserAgent	`network.http.user_agent`
WorkSpaceName	`target.resource.attribute.labels.key/value`
DatasetName	`target.resource.attribute.labels.key/value`
WorkspaceId	`target.resource.attribute.labels.key/value`
DatasetId	`target.resource.product_object_id`
DataConnectivityMode	`target.resource.attribute.labels.key/value`
ArtifactId	`target.resource.attribute.labels.key/value`
RequestId	`about.labels.key/value`
ActivityId	`principal.labels.key/value`
TableName	`target.resource.attribute.labels.key/value`
LastRefreshTime	`about.labels.key/value`
ArtifactKind	`target.resource.attribute.labels.key/value`

New-DlpCompliancePolicy

次の表に、オペレーション New-DlpCompliancePolicy とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels`
UserServicePlan	`principal.labels.key/value`
Version	`metadata.product_version`

New-DlpComplianceRule

次の表に、オペレーション New-DlpComplianceRule とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels`
UserServicePlan	`principal.labels.key/value`
Version	`metadata.product_version`

Get-InsiderRiskPolicy

次の表に、オペレーション Get-InsiderRiskPolicy とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.
ClientApplication	`principal.labels.key/value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels`
UserServicePlan	`principal.labels.key/value`
Version	`metadata.product_version`

Set-HostedContentFilterPolicy

次の表に、オペレーション Set-HostedContentFilterPolicy とワークロード Exchange のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`. `target.resource.resource_type` is set to `SETTING`. If `ResultStatus` is TRUE then `Action` is set to `ALLOW` else `Action` is set to `BLOCK`.
ExternalAccess	`about.labels.key/value`
ObjectId	`target.resource.product_object_id`
Version	`metadata.product_version`
Parameters	`target.resource.attribute.labels.key/value`
UserKey	`target.labels.key/value`

強力な認証を有効にします。

次の表に、オペレーション Enable Strong Authentication. とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field UDM mapping

metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.

ExtendedProperties

If Name is equal to additionalDetails then User-Agent is mapped with network.http.user_agent

else if Name is equal to extendedAuditEventCategory then User-Agent is mapped with target.resource.attribute.labels.key/value

else User-Agent is mapped with about.labels.key/value.

ModifiedProperties

If Name is equal to Included Updated Properties then NewValue is mapped with security_result.summary

else User-Agent is mapped with target.labels.key/value.

ReactedToMessage

次の表に、オペレーション ReactedToMessage とワークロード MicrosoftTeams のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.IssuedAtTime	`target.labels.key/value`
AppAccessContext.UniqueTokenId	`target.labels.key/value`
ChatThreadId	`target.user.group_identifiers`
ChatThreadId	`target.group.product_object_id`
MessageReactionType	`target.resource.attribute.labels.key/value`
ChatName	`target.group.group_display_name`
MessageId	`target.resource.product_object_id`
ParticipantInfo.HasForeignTenantUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasOtherGuestUsers	`security_result.detection_fields.key/value`
ParticipantInfo.HasUnauthenticatedUsers	`security_result.detection_fields.key/value`
ParticipantInfo.ParticipatingTenantIds	`security_result.detection_fields.key/value`

RemovableMediaUnmount

次の表に、オペレーション RemovableMediaUnmount とワークロード Endpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
MDATPDeviceId	`target.asset.asset_id`
Platform	`target.labels.key/value`
Scope	`target.labels.key/value`
RemovableMediaDeviceAttributes.Manufacturer	`target.asset.hardware.manufacturer`
RemovableMediaDeviceAttributes.Model	`target.asset.hardware.model`
RemovableMediaDeviceAttributes.SerialNumber	`target.asset.hardware.serial_number`

FileUploadedToCloud

次の表に、オペレーション FileUploadedToCloud とワークロード Endpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_SYNC`.
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels.key/value`
EvidenceFile.FullUrl	`target.file.full_path`
EvidenceFile.StorageName	`target.file.names`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.Count	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.Confidence	`security_result.detection_fields.key/value`
SensitiveInfoTypeData.SensitiveInfoTypeName	`security_result.detection_fields.key/value`
TargetPrinterName	`target.asset.hostname`
	`target.asset.type` is set to `PRINTER`
TargetDomain	`target.labels.key/value`

GenerateDataflowSasToken

次の表に、オペレーション GenerateDataflowSasToken とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_CHANGE_PERMISSIONS`.
DataflowAccessTokenRequestParameters.entityName	`principal.labels.key/value`
DataflowAccessTokenRequestParameters.partitionUri	`principal.labels.key/value`
DataflowAccessTokenRequestParameters.permissions	`principal.labels.key/value`
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes	`principal.labels.key/value`
DataflowId	`target.resource.product_object_id`
DataflowName	`target.resource.name`
IsSuccess	If `IsSuccess` is TRUE then `Action` is set to `ALLOW` else `Action` is set to `BLOCK`.
ItemName	`target.labels.key/value`

GenerateScreenshot

次の表に、オペレーション GenerateScreenshot とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.

MDCAssessments

次の表に、オペレーション MDCAssessments とワークロード CompliancePostureManagement のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `SCAN_UNCATEGORIZED`.
PropertyBag.AssessmentStatusPerInitiative.ArnEventId	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.CloudProvider	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.CustomerResourceId	`about.resource.product_object_id`
PropertyBag.AssessmentStatusPerInitiative.EventType	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.ResourceName	`about.resource.name`
PropertyBag.AssessmentStatusPerInitiative.ResourceType	`about.resource.resource_subtype`
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.StatusCode	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.SubscriptionId	`about.labels.key/value`
PropertyBag.AssessmentStatusPerInitiative.SubscriptionName	`about.labels.key/value`
PropertyBag.DataType	`about.labels.key/value`

RemovableMediaMount

次の表に、オペレーション RemovableMediaMount とワークロード Endpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
MDATPDeviceId	`target.asset.asset_id`
Platform	`target.labels.key/value`
Scope	`target.labels.key/value`
RemovableMediaDeviceAttributes.Manufacturer	`target.asset.hardware.manufacturer`
RemovableMediaDeviceAttributes.Model	`target.asset.hardware.model`
RemovableMediaDeviceAttributes.SerialNumber	`target.asset.hardware.serial_number`

SignInEvent

次の表に、オペレーション SignInEvent とワークロード SharePoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_UNCATEGORIZED`.
AuthenticationType	`principal.labels.key/value`
BrowserName	`principal.labels.key/value`
BrowserVersion	`principal.labels.key/value`
DeviceDisplayName	`principal.labels.key/value`
IsManagedDevice	`principal.labels.key/value`

ApprovedRequest

次の表に、オペレーション ApprovedRequest とワークロード MicrosoftTeams のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_PERMISSIONS`.
ItemName	`target.labels.key/value`

CreateForm

次の表に、オペレーション CreateForm とワークロード MicrosoftForms のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_CREATION`.
FormsUserType	`target.labels.key/value`
SourceApp	`principal.application`

ListForms

次の表に、オペレーション ListForms とワークロード MicrosoftForms のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.

MDCRegulatoryComplianceAssessments

次の表に、オペレーション MDCRegulatoryComplianceAssessments とワークロード CompliancePostureManagement のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `SCAN_UNCATEGORIZED`.
PropertyBag.DataType	`about.labels.key/value`
PropertyBag.Policy.ArnEventId	`about.labels.key/value`
PropertyBag.Policy.Description	`about.labels.key/value`
PropertyBag.Policy.DetailsLink	`about.labels.key/value`
PropertyBag.Policy.EventTime	`about.labels.key/value`
PropertyBag.Policy.EventType	`about.labels.key/value`
PropertyBag.Policy.PolicyInitiativeId	`about.labels.key/value`
PropertyBag.Policy.PolicyInitiativeName	`about.labels.key/value`

PreviewForm

次の表に、オペレーション PreviewForm とワークロード MicrosoftForms のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_ACCESS`.

ViewedApprovalRequest

次の表に、オペレーション ViewedApprovalRequest とワークロード MicrosoftTeams のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_ACCESS`.
ItemName	`target.labels.key/value`

ListCreated

次の表に、オペレーション ListCreated とワークロード SharePoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.UniqueTokenId	`target.labels.key/value`
ListColor	`target.labels.key/value`
ListIcon	`target.labels.key/value`

SiteColumnCreated

次の表に、オペレーション SiteColumnCreated とワークロード OneDrive のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
ObjectId	`target.resource.product_object_id`

ListViewUpdated

次の表に、オペレーション ListViewUpdated とワークロード SharePoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
AppAccessContext.UniqueTokenId	`target.labels.key/value`
AuthenticationType	`principal.labels.key/value`
BrowserName	`principal.labels.key/value`
BrowserVersion	`principal.labels.key/value`
CustomizedDoclib	`principal.labels.key/value`
DeviceDisplayName	`principal.labels.key/value`
FromApp	`principal.labels.key/value`
IsManagedDevice	`principal.labels.key/value`
ItemCount	`target.labels.key/value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseTemplateType	`target.labels.key/value`
ListBaseType	`target.labels.key/value`
ListColor	`target.labels.key/value`
ListIcon	`target.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListTitle	`about.labels.key/value`
ObjectId	`target.url`
Platform	`target.labels.key/value`
RecordType	`security_result.detection_fields.key/value`
Site	`target.labels.key/value`
Source	`security_result.description`
TemplateTypeId	`about.labels.key/value`
WebId	`about.labels.key/value`

TeamsUserSignedOut

次の表に、オペレーション TeamsUserSignedOut とワークロード MicrosoftTeams のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_LOGOUT`.
	`extension.auth.auth_type` is mapped to `SSO`.
ChannelGuid	`target.labels.key/value`
ChannelName	`target.labels.key/value`
ChatName	`target.group.group_display_name`
ChatThreadId	`target.user.group_identifiers`
DeviceInformation	`principal.labels.key/value`
ItemName	`target.labels.key/value`
MessageId	`target.labels.key/value`
MessageVersion	`target.labels.key/value`
ObjectId	`target.labels.key/value`
TeamGuid	`target.group.product_object_id`
TeamName	`target.group.group_display_name`
UserKey	`target.labels.key/value`
UserType	`target.user.attribute.roles`
Version	`metadata.product_version`

ワークスペースの取得

次の表に、オペレーション GetWorkspaces とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Activity	`about.labels.key/value`
ActivityId	`about.labels.key/value`
AggregatedWorkspaceInformation.WorkspaceCount	`target.labels.key/value`
AggregatedWorkspaceInformation.WorkspacesByCapacitySku	`target.labels.key/value`
AggregatedWorkspaceInformation.WorkspacesByType	`target.labels.key/value`
IsSuccess	`security_result.action`
UserAgent	`network.http.user_agent`

ConnectFromExternalApplication

次の表に、オペレーション ConnectFromExternalApplication とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
Activity	`about.labels.key/labels`
CustomData	`about.labels.key/value`

タスクリストの読み取り

次の表に、オペレーション TaskListRead とワークロード Planner のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
UserKey	`principal.labels.key/labels`
ObjectId	`target.labels.key/labels`
TaskList	`target.labels.key/value`

PutConnection

次の表に、オペレーション PutConnection とワークロード PowerApps のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ObjectId	`target.labels.key/value`
Version	`metadata.product_version`
AdditionalInfo.actionName	`security_result.detection_fields.key/value`
ResourceId	`target.labels.key/value`
UserKey	`target.label.key/value`
AdditionalInfo.environmentName	`target.labels.key/value`

AdminSubmissionTablAllow

次の表に、オペレーション AdminSubmissionTablAllow とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `GENERIC_EVENT`.
SubmissionContent	`security_result.detection_fields.key/value`
SubmissionContentType	`security_result.detection_fields.key/value`
ObjectId	`target.labels.key/value`
Recipients	`network.email.to`
SubmissionState	`security_result.summary`
SubmissionId	`security_result.detection_fields.key/value`
ExtendedProperties	`principal.labels.key/value` `about.labels.key/value` If `Name` is `AdminReviewTime` or `AdminReviewResult` then `Value` is mapped to`principal.labels.key/value`. Else `about.labels.key/value`.
SubmissionConfidenceLevel	`security_result.detection_fields.key/value`
SubmissionType	`security_result.detection_fields.key/value`
MessageDate	`about.labels.key/value`
P1SenderDomain	`principal.administrative_domain`
UserKey	`target.label.key/value`
P2SenderDomain	`about.administrative_domain`
Subject	`network.email.subject`
Version	`metadata.product_version`

連絡先を追加

次の表に、オペレーション Add contact. とワークロード AzureActiveDirectory のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_CREATION`. `target.resource.resource_subtype` is set to `Contact`.
ObjectId	`target.labels.key/value`
IntraSystemId	`target.resource.attribute.labels.key/value`
ActorContextId	`principal.labels.key/value`
SupportTicketId	`about.labels.key/value`
InterSystemsId	`target.resource.attribute.labels.key/value`
TargetContextId	`target.labels.key/value`
UserKey	`target.label.key/value`
Target	`security_result.detection_fields.key/value`
AzureActiveDirectoryEventType	`target.resource.attribute.labels.key/value`
Actor	`security_result.detection_fields.key/value`
Version	`metadata.product_version`
ExtendedProperties	`target.resource.attribute.labels.key/value` `about.labels.key/value` If `Name` is `extendedAuditEventCategory` then `Value` is mapped to `target.resource.attribute.labels.key/value`. Else `about.labels.key/value`.
ModifiedProperties	`target.resource.name` `target.resource.attribute.labels.key/value` `security_result.detection_fields.key/value` `security_result.summary` If `Name` is `Included Updated Properties` then `NewValue` is mapped to `security_result.summary` and `OldValue` is mapped to `security_result.detection_field.key/value`. Else if `Name` is `DisplayName` then `NewValue` is mapped to `target.resource.name` and `OldValue` is mapped to `target.resource.attribute.key/value`. Else `target.resource.attribute.labels.key/value`.

WorkspacePortalUrlReceived

次の表に、オペレーション WorkspacePortalUrlReceived とワークロード MicrosoftDefenderForIdentity のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultDescription	`security_result.detection_fields.key.value`
UserKey	`target.labels.key/value`

PutConnectionPermission

次の表に、オペレーション PutConnectionPermission とワークロード PowerApps のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_PERMISSIONS_CHANGE`. `target.resource.resource_type` is set to `SETTING`.
ObjectId	`target.labels.key/value`
Version	`metadata.product_version`
AdditionalInfo.actionName	`security_result.detection_fields.key/value`
ResourceId	`target.resource.attribute.labels.key/value`
UserKey	`target.label.key/value`
AdditionalInfo.environmentName	`target.resource.attribute.labels.key/value`
AdditionalInfo.targetObjectId	`target.resource.product_object_id`

SensitivityLabeledFileOpened

次の表に、オペレーション SensitivityLabeledFileOpened とワークロード PublicEndpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_OPEN`.
PreviousProtectionType.protectionType	`security_result.detection_fields.key/value`
CurrentProtectionType.protectionType	`security_result.detection_fields.key/value`
DeviceName	`target.hostname`
CurrentProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
CurrentProtectionType.owner	`security_result.about.email_addresses`
TargetLocation	`target.labels.key/value`
UserKey	`target.labels.key/value`
LabelId	`target.labels.key/value`
CurrentProtectionType.templateId	`security_result.detection_fields.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
ContentType	`target.labels.key/value`
Platform	`target.platform`
UserSku	`principal.labels.key/value`
PreviousProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
ObjectId	`target.url`
PreviousProtectionType.owner	`security_result.about.email_addresses`
Application	`principal.application`
PreviousProtectionType.templateId	`security_result.detection_fields.key/value`

検証

次の表に、オペレーション Validate とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultCount	`target.labels.key/value`
DataType	`security_result.description`
UserKey	`target.labels.key/value`
AadAppId	`target.labels.key/value`
RelativeUrl	`target.url`

SensitivityLabeledFileRenamed

次の表に、オペレーション SensitivityLabeledFileRenamed とワークロード PublicEndpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_MOVE`.
PreviousProtectionType.protectionType	`security_result.detection_fields.key/value`
CurrentProtectionType.protectionType	`security_result.detection_fields.key/value`
DeviceName	`target.hostname`
CurrentProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
CurrentProtectionType.owner	`security_result.about.email_addresses`
TargetLocation	`target.labels.key/value`
UserKey	`target.labels.key/value`
LabelId	`target.labels.key/value`
CurrentProtectionType.templateId	`security_result.detection_fields.key/value`
ProtectionEventType	`security_result.detection_fields.key/value`
ContentType	`target.labels.key/value`
Platform	`target.platform`
UserSku	`principal.labels.key/value`
PreviousProtectionType.documentEncrypted	`security_result.detection_fields.key/value`
ObjectId	`target.url`
PreviousProtectionType.owner	`security_result.about.email_addresses`
Application	`principal.application`
PreviousProtectionType.templateId	`security_result.detection_fields.key/value`
PreviousTarget	`src.url`

タスクを変更しました

次の表に、オペレーション TaskModified とワークロード Planner のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.type` is set to `TASK`.
PlanId	`target.resource.attribute.labels.key/value`
UserKey	`target.labels.key/value`
ObjectId	`target.resource.product_object_id`

タイルを削除

次の表に、オペレーション TaskModified とワークロード PowerBI のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_DELETION`.
WorkspaceId	`target.resource.product_object_id`
WorkSpaceName	`target.resource.name`
UserKey	`target.labels.key/value`
ActivityId	`principal.labels.key/value`
RefreshEnforcementPolicy	`security_result.detection_fields.key/value`
RequestId	`about.labels.key/value`
IsSuccess	`security_result.action`
UserAgent	`network.http.user_agent`
ObjectId	`target.resource.attribute.labels.key/value`

QualantineReleaseMessage

次の表に、オペレーション QuarantineReleaseMessage とワークロード Quarantine のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
NetworkMessageId	`security_result.detection_fields.key/value`
ReleaseTo	`security_result.detection_fields.key/value`
RequestType	`security_result.detection_fields.key/value`
RequestSource	`security_result.detection_fields.key/value`

WorkspaceStatusReceived

次の表に、オペレーション WorkspaceStatusReceived とワークロード MicrosoftDefenderForIdentity のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ResultDescription	`security_result.detection_fields.key/value`

リンクされたエンティティの更新

次の表に、オペレーション LinkedEntityUpdated とワークロード MicrosoftTodo のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_WRITTEN`. `target.resource.resource_type` is set to `TASK`.
ActorAppId	`target.labels.key/value`
ItemId	`security_result.detection_fields.key/value` and `target.resource.product_object_id`
ItemType	`target.resource.attribute.labels.key/value`
TargetActorId	`target.labels.key/value`
TargetActorTenantId	`target.labels.key/value`

回答を表示

次の表に、オペレーション ViewResponse とワークロード MicrosoftForms のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`.
FormsUserTypes	principal.labels.key/value
SourceApp	principal.application
FormName	target.resource.name
FormId	target.resource.product_object_id

PlanListRead

次の表に、オペレーション PlanListRead とワークロード Planner のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `RESOURCE_READ`. `target.resource.resource_subtype` is set to `Plan`.
PlanList	`target.resource.product_object_id`
ObjectId	`target.resource.attribute.labels.key/value`

O365SyncAdminUserPromotion

次の表に、オペレーション O365SyncAdminUserPromotion とワークロード Yammer のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `STATUS_UPDATE`.
ActorUserId	`principal.user.email_addresses` or `principal.user.userid`
ActorYammerUserId	`principal.labels.key/value`
ObjectId	`target.labels.key/value`
YammerNetworkId	`principal.labels.key/value`

FileCopiedTo クリップボード

次の表に、オペレーション FileCopiedToClipboard とワークロード Endpoint のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_UNCATEGORIZED`.
Application	`principal.application`
DeviceName	`target.hostname`
DlpAuditEventMetadata.DlpPolicyMatchId	`security_result.detection_fields.key/value`
DlpAuditEventMetadata.EvaluationTime	`security_result.detection_fields.key/value`
EnforcementMode	`target.labels.key/value`
EvidenceFile.FullUrl	`target.labels.key/value`
EvidenceFile.StorageName	`target.labels.key/value`
FileExtension	`target.file.mime_type`
FileType	`target.resource.attribute.labels.key/value`
Hidden	`security_result.detection_fields.key/value`
JitTriggered	`security_result.detection_fields.key/value`
MDATPDeviceId	`security_result.detection_fields.key/value`
ObjectId	`target.file.full_path`
Platform	`target.labels.key/value`
PolicyMatchInfo	`target.resource.product_object_id` `security_result.summary` `security_result.rule_id` `security_result.rule_name` `PolicyId` is mapped to `target.resource.product_object_id` `PolicyName` is mapped to `security_result.summary` `RuleId` is mapped to `security_result.rule_id` `RuleName` is mapped to `security_result.rule_name`
SensitiveInfoTypeData	`security_result.detection_fields.key/value` `security_result.confidence_details`
Scope	`target.labels.key/value`
RMSEncrypted	`security_result.detection_fields.key/value`
SensitivityLabelEventData.SensitivityLabelId	`security_result.detection_fields.key/value`
SourceLocationType	`principal.labels.key/value`
TargetDomain	`target.domain.name`
TargetFilePath	`target.labels.key/value`
OriginatingDomain	`principal.domain.name`

FileTranscriptContentAccessed

次の表に、オペレーション FileTranscriptContentAccessed とワークロード OneDrive のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `FILE_READ`.
AlternateStreamId	`security_result.detection_fields.key/value`
ApplicationDisplayName	`target.application` and `target.resource.name`
ApplicationId	`target.resource.product_object_id`
AuthenticationType	`principal.labels.key/value`
AppAccessContext.UniqueTokenId	`target.labels.key/value`
BrowserName	`principal.labels.key/value`
BrowserVersion	`principal.labels.key/value`
DeviceDisplayName	`principal.labels.key/value`
IsManagedDevice	`principal.labels.key/value`
EventSource	`principal.application`
HighPriorityMediaProcessing	`about.labels.key/value`
ItemType	`target.resource.attribute.labels.key/value`
ListBaseType	`target.labels.key/value`
ListId	`security_result.detection_fields.key/value`
ListItemUniqueId	`principal.asset_id`
ListServerTemplate	`security_result.detection_fields.key/value`
ObjectId	`target.url`
Platform	`target.labels.key/value`
Site	`target.labels.key/value`
SiteUrl	`network.http.referral_url`
SourceFileExtension	`target.file.mime_type`
SourceFileName	`target.file.full_path` is mapped to `SourceRelativeUrl`/`SourceFileName`.
SourceRelativeUrl	`target.file.full_path` is mapped to `SourceRelativeUrl`/`SourceFileName`.
UserAgent	`network.http.user_agent`
WebId	`about.labels.key/value`

Set-DlpCompliancePolicy

次の表に、オペレーション Set-DlpCompliancePolicy とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_UPDATE_CONTENT`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value`
UserServicePlan	`principal.labels.key/value`
Version	`metadata.product_version`

Remove-DlpCompliancePolicy

次の表に、オペレーション Remove-DlpCompliancePolicy とワークロード SecurityComplianceCenter のログフィールドと対応する UDM マッピングを示します。

Log field	UDM mapping
	`metadata.event_type` is mapped to `USER_RESOURCE_DELETION`. `target.resource.resource_type` is set to `ACCESS_POLICY`.
ClientApplication	`principal.labels.key/value`
CmdletVersion	`metadata.product_version`
EffectiveOrganization	`target.administrative_domain`
ObjectId	`target.resource.product_object_id`
Parameters	`target.process.command_line`
SecurityComplianceCenterEventType	`about.labels.key/value`
StartTime	`target.resource.attribute.creation_time`
UserKey	`target.labels.key/value`
UserServicePlan	`principal.labels.key/value`
Version	`metadata.product_version`

次のステップ

Chronicle へのデータ取り込み

Microsoft 365 ログを収集する

概要

始める前に

Microsoft 365 ログを取り込むように Chronicle のフィードを構成する

フィールド マッピング リファレンス

共通フィールド

FileAccessed

FileAccessedExtended

FileDeleted

FileCopied

FileModified

FileDownloaded

FileModifiedExtended

FileMoved

FilePreviewed

FileRenamed

FileUploaded

FileVersionsAllDeleted

FileCheckedIn

FileCheckedOut

ComplianceSettingChanged

LockRecord

UnlockRecord

FileDeletedFirstStageRecycleBin

FileDeletedSecondStageRecycleBin

RecordDelete

DocumentSensitivityMismatchDetected

DocumentSensitivityMismatchDetected

FileCheckOutDiscarded

FileVersionsAllMinorsRecycled

FileVersionsAllRecycled

FileVersionRecycled

FileRestored

FileMalwareDetected

SearchQueryPerformed

PageViewed

PagePrefetched

ClientViewSignaled

PageViewedExtended

FolderCreated

FolderDeleted

FolderMoved

FolderRenamed

FolderModified

FolderCopied

FolderRestored

FolderDeletedFirstStageRecycleBin

FolderDeletedSecondStageRecycleBin

FileSyncDownloadedFull

FileSyncDownloadedPartial

FileSyncUploadedFull

FileSyncUploadedPartial

ManagedSyncClientAllowed

UnmanagedSyncClientBlocked

AddedToGroup

GroupAdded

GroupRemoved

WebRequestAccessModified

WebMembersCanShareModified

PermissionLevelModified

SiteCollectionAdminAdded

SiteCollectionAdminRemoved

PermissionLevelRemoved

RemovedFromGroup

GroupUpdated

ProjectCheckedOut

ProjectAccessed

SharingInheritanceBroken

AddToSecureLink

CompanyLinkCreated

CompanyLinkUsed

SecureLinkCreated

SharingInvitationCreated

SecureLinkDeleted

RemoveFromSecureLink

SharingInvitationRevoked

SecureLinkUpdated

SecureLinkUsed

SharingRevoked

SharingSet

フィールドマッピングリファレンス

ユーザーパスワードの変更

ユーザーパスワードを再設定

ユーザーのアプリケーションパスワードを削除する

サービスプリンシパルを更新する

サービスプリンシパルを追加する

サービスプリンシパルを削除する