Microsoft 365 로그 수집
이 문서에서는 Chronicle 피드를 설정하여 Microsoft 365 로그를 수집하는 방법과 로그 필드가 Chronicle 통합 데이터 모델(UDM) 필드에 매핑되는 방법을 설명합니다. 이 문서에는 지원되는 감사 대상 활동 및 지원되는 Microsoft 365 버전도 나와 있습니다.
Chronicle 데이터 수집에 대한 개요는 Chronicle 데이터 수집을 참조하세요.
개요
다음 배포 아키텍처 다이어그램은 Microsoft 365 및 Chronicle 피드를 Chronicle로 로그를 보내도록 구성하는 방법을 보여줍니다. 각 고객 배포는 이 표현과 다를 수 있으며 더 복잡할 수 있습니다.
이 아키텍처 다이어그램은 다음 구성요소를 보여줍니다.
Microsoft 365. 로그를 수집하는 Microsoft 365 서비스입니다.
Chronicle 피드. Microsoft 365에서 로그를 가져오고 Chronicle에 로그를 작성하는 Chronicle 피드입니다.
Chronicle. Chronicle은 Microsoft 365의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 OFFICE_365 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
Microsoft 365 버전 2204 빌드 16.0.15128.20248 이상을 사용하고 Microsoft Security and Compliance Center 기능이 있는 Microsoft 365 Enterprise E5 구독이 있는지 확인합니다.
지원되는 모든 Microsoft 제품에 대해 다른 이벤트를 생성하고 내보내기 위해 사용자에게 필요한 권한 및 권한을 부여합니다. 예시 권한은 관리 API에 대한 액세스 권한을 참조하세요.
로그를 검색하고 내보내도록 Microsoft 365를 구성합니다. Microsoft Azure Active Directory(Azure AD)는 Microsoft 365용 디렉터리 서비스입니다. 로그를 생성하는 데 최대 24시간이 걸립니다. 자세한 내용은 감사 로그 검색을 참조하세요.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Chronicle 파서가 지원하는 활동과 제품을 검토합니다. 다음 표에는 Chronicle 파서가 지원하는 활동과 제품이 나열되어 있습니다.
활동 제품 파일 및 페이지 활동 SharePoint Online 및 비즈니스용 OneDrive 폴더 활동 SharePoint Online 및 비즈니스용 OneDrive SharePoint 목록 활동 SharePoint Online 요청 활동 공유 및 액세스 SharePoint Online 및 비즈니스용 OneDrive 동기화 활동 SharePoint Online 및 비즈니스용 OneDrive 사이트 권한 활동 SharePoint Online 사이트 관리 활동 SharePoint Online Exchange 편지함 활동 Microsoft 365 그룹 편지함 사용자 관리 활동 Microsoft 365 관리 센터 Azure AD 그룹 관리 활동 Microsoft 365 관리 센터 애플리케이션 관리 활동 관리자가 Azure AD에 등록된 애플리케이션을 추가하거나 변경하는 경우 역할 관리 활동 Microsoft 365 관리 센터 디렉터리 관리 활동 Microsoft 365 관리 센터 Power BI 활동 Power BI Microsoft Teams 활동 Microsoft Teams Microsoft Teams Shifts 활동 Microsoft Teams의 Shifts 앱 Microsoft Teams 의료 활동 Microsoft Teams의 Patients 애플리케이션 Microsoft Teams Shifts 활동 Microsoft Teams의 Shifts 앱 Yammer 활동 Yammer Microsoft Power Automate 활동 Power Automate(이전 명칭: Microsoft Flow) Microsoft PowerApps 활동 Power Apps Microsoft Stream 활동 Microsoft Stream 격리 활동 Office 365에서 이메일 메시지 격리하기 Microsoft Forms 활동 Microsoft Teams 민감도 라벨 활동 SharePoint Online 및 Teams용 라벨 지정 활동 보관 정책 및 보관 라벨 활동 해당 없음 브리핑 이메일 활동 브리핑 이메일 MyAnalytics 활동 MyAnalytics 정보 장벽 활동 해당 없음 처리 검토 활동 해당 없음 커뮤니케이션 규정 준수 활동 해당 없음 정의되지 않은 활동 해당 없음
Microsoft 365 로그를 수집하도록 Chronicle에서 피드 구성
- Chronicle 설정으로 이동하고 피드를 클릭합니다.
- 'Add New(새 항목 추가)'를 클릭합니다.
- 소스 유형으로 타사 API를 선택합니다.
- 로그 유형으로 Office 365를 선택합니다.
- 다음을 클릭합니다.
- Microsoft 365 구성에 따라 OAuth 클라이언트 ID, OAuth 클라이언트 보안 비밀번호, 테넌트 ID 세부정보를 지정합니다.
- 이 피드를 만들려는 콘텐츠 유형을 선택합니다. 필요한 콘텐츠 유형마다 별도의 피드를 만들어야 합니다.
- 다음을 클릭한 후 제출을 클릭합니다.
Chronicle 피드에 대한 자세한 내용은 Chronicle 피드 문서를 참조하세요.
필드 매핑 참조
이 섹션에서는 Chronicle 파서가 지원되는 작업과 워크로드에 대해 Microsoft 365 로그 필드를 Chronicle 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
일반 필드
다음 표에는 일반적인 로그 필드와 해당 UDM 필드가 나와 있습니다.
| Common log field | UDM field |
|---|---|
| ID | metadata.product_log_id |
| RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
| CreationTime | metadata.event_timestamp |
| Operation | metadata.product_event_type |
| OrganizationId | principal.resource.product_object_id |
| UserType | principal.user.attribute.roles.name |
| UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
| ClientIP | principal.ip and principal.port |
| Workload | target.application |
| AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
지원되는 작업의 UDM 매핑에 대한 자세한 내용은 다음 섹션을 참조하세요.
FileAccessed
다음 표에는 'Fileaccessed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
다음 표에는 'FileAccessedExtended' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeleted
다음 표에는 'FileDeleted' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCopied
다음 표에는 'FileCopied' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileModified
다음 표에는 'FileModified' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileDownloaded
다음 표에는 'File다운로드' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| UserSessionId | network.http.session_id |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ZipFileName | principal.resource.parent |
FileModifiedExtended
다음 표에는 'FileModifiedExtended' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileMoved
다음 표에는 'FileMoved' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FilePreviewed
다음 표에는 'FilePreviewed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileRenamed
다음 표에는 'FileRenamed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileUploaded
다음 표에는 'FileUploaded' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionsAllDeleted
다음 표에는 'FileVersionsAllDeleted' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
FileCheckedIn
다음 표에는 'FileCheckedIn' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | workload map with intermediary.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
다음 표에는 'FileCheckedOut' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | Uniquely Identify resource in site like File or Folder |
| ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | Information about the user's browser. This information is provided by the browser. |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ComplianceSettingChanged
다음 표에는 'ComplianceSettingChanged' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| SharingType | target.labels.key/value |
LockRecord
다음 표에는 'LockRecord' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
UnlockRecord
다음 표에는 'UnlockRecord' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedFirstStageRecycleBin
다음 표에는 'FileDeletedFirstStageRecycleBin' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedSecondStageRecycleBin
다음 표에는 'FileDeletedSecondStageRecycleBin' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
RecordDelete
다음 표에는 'RecordDelete' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
다음 표에는 'DocumentSensitivityMismatchDetected' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
다음 표에는 'DocumentSensitivityMismatchDetected' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckOutDiscarded
다음 표에는 'FileCheckOutDiscarded' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMinorsRecycled
다음 표에는 'FileVersionsAllMinorsRecycled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
다음 표에는 'FileVersionsAllRecycled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionRecycled
다음 표에는 'FileVersionRecycled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileRestored
다음 표에는 'FileRestored' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SharingType | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareDetected
다음 표에는 'FileMalwareDetected' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| VirusInfo | security_result.threat_name |
| VirusVendor | target.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
SearchQueryPerformed
다음 표에는 'SearchQueryPerformed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventData | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
PageViewed
다음 표에는 'PageViewed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
PagePrefetched
다음 표에는 'PagePrefetched' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSignaled
다음 표에는 'ClientViewSignaled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
PageViewedExtended
다음 표에는 'PageViewedExtended' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
FolderCreated
다음 표에는 'FolderCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeleted
다음 표에는 'FolderDeleted' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderMoved
다음 표에는 'FolderMoved' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
| DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderRenamed
다음 표에는 'FolderRenamed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderModified
다음 표에는 'FolderModified' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderCopied
다음 표에는 'FolderCopied' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path |
| SourceRelativeUrl | src.file.full_path |
| DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderRestored
다음 표에는 'FolderRestored' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedFirstStageRecycleBin
다음 표에는 'FolderDeletedFirstStageRecycleBin' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedSecondStageRecycleBin
다음 표에는 'FolderDeletedSecondStageRecycleBin' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedFull
다음 표에는 'FileSyncDownloadedFull' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedPartial
다음 표에는 'FileSyncDownloadedPartial' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | src.file.size |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedFull
다음 표에는 'FileSyncUploadedFull' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedPartial
다음 표에는 'FileSyncUploadedPartial' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| FileSyncBytesCommitted | target.file.size |
| ImplicitShare | target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
ManagedSyncClientAllowed
다음 표에는 'ManagedSyncClientAllowed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_WRITTEN | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
UnmanagedSyncClientBlocked
다음 표에는 'UnmanagedSyncClientBlocked' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
AddedToGroup
다음 표에는 'AddedToGroup' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.group.group_display_name |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupAdded
다음 표에는 'GroupAdded' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupRemoved
다음 표에는 'GroupRemoved' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebRequestAccessModified
다음 표에는 'WebRequestAccessModified' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
WebMembersCanShareModified
다음 표에는 'WebMembersCanShareModified' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| version | metadata.product_version |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
PermissionLevelModified
다음 표에는 'PermissionLevelModified' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
| version | metadata.product_version |
| WebID | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminAdded
다음 표에는 'SiteCollectionAdminAdded' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SiteCollectionAdminRemoved
다음 표에는 'SiteCollectionAdminRemoved' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
| AssertingApplicationId | about.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
PermissionLevelRemoved
다음 표에는 'PermissionLevelRemoved' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
RemovedFromGroup
다음 표에는 'RemovedFromGroup' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.group.group_display_name |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
GroupUpdated
다음 표에는 'GroupUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.referral_url |
| ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
ProjectCheckedOut
다음 표에는 'ProjectCheckedOut' 작업과 'Project' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
ProjectAccessed
다음 표에는 'ProjectAccessed' 작업과 'Project' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
SharingInheritanceBroken
다음 표에는 'SharingInheritanceBroken' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SharingType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
AddedToSecureLink
다음 표에는 'AddedToSecureLink' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| UniqueSharingId | target.labels.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ApplicationDisplayName | target.application |
CompanyLinkCreated
다음 표에는 'CompanyLinkCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| ApplicationDisplayName | target.application |
CompanyLinkUsed
다음 표에는 'CompanyLinkUsed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SecureLinkCreated
다음 표에는 'SecureLinkCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
SharingInvitationCreated
다음 표에는 'SharingInvitationCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkDeleted
다음 표에는 'SecureLinkDeleted' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
RemovedFromSecureLink
다음 표에는 'RemovedFromSecureLink' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
SharingInvitationRevoked
다음 표에는 'SharingInvitationRevoked' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path |
| SourceRelativeUrl | target.file.full_path |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUpdated
다음 표에는 'SecureLinkUpdated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
SecureLinkUsed
다음 표에는 'SecureLinkUsed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| UniqueSharingId | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SharingRevoked
다음 표에는 'SharedRevoked' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
SharingSet
다음 표에는 'SharingSet' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
PermissionLevelAdded
다음 표에는 'PermissionLevelAdded' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
SharingInvitationAccepted
다음 표에는 'SharingInvitationAccepted' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Added to Group is mapped to target.resource.name |
SharingInvitationBlocked
다음 표에는 'SharingInvitationBlocked' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | security_result.summary
Reason is mapped to security_result.summary |
AccessRequestCreated
다음 표에는 'AccessRequestCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
AnonymousLinkCreated
다음 표에는 'AnonymousLinkCreated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
| UniqueSharingId | target.labels.key/value |
AccessRequestUpdated
다음 표에는 'AccessRequestUpdated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| ModifiedProperties | target.labels.key/value |
CompanyLinkRemoved
다음 표에는 'CompanyLinkRemoved' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
AccessRequestApproved
다음 표에는 'AccessRequestApproved' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| WebId | about.labels.key/value |
| EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
AnonymousLinkRemoved
다음 표에는 'AnonymousLinkRemoved' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| UniqueSharingId | target.labels.key/value |
| SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| MachineId | target.asset.product_object_id |
AnonymousLinkUpdated
다음 표에는 'AnonymousLinkUpdated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ApplicationDisplayName | target.application |
| WebId | about.labels.key/value |
| UniqueSharingId | target.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SharingInvitationUpdated
다음 표에는 'SharingInvitationUpdated' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| ApplicationDisplayName | target.application |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_ACCESS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
| ApplicationDisplayName | target.application |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
AnonymousLinkUsed
다음 표에는 'AnonymousLinkUsed' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
그룹 추가
다음 표에는 '그룹 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
그룹에 구성원 추가
다음 표에는 '그룹에 구성원 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_CREATION
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if
else map |
| ModifiedProperties | security_result.summary
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
사용자 추가
다음 표에는 Add user 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
사용자 라이선스 변경
다음 표에는 '사용자 라이선스 변경' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
사용자 비밀번호 변경
다음 표에는 '사용자 비밀번호 변경' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
그룹 삭제
다음 표에는 '그룹 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
그룹에서 회원 삭제
다음 표에는 '그룹에서 회원 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
사용자 삭제
다음 표에는 Delete user 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
사용자 업데이트
다음 표에는 Update user 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
if |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties
|
security_result.detection_fields.key/value
If
If
If
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.group.group_display_name
If
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
그룹 업데이트
다음 표에는 '그룹 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description |
UserLoggedIn
다음 표에는 'UserLoggedIn' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
| DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
| ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
| LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
UserLoginFailed
다음 표에는 'UserLoginFailed' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
StsRefreshTokenValidFrom 타임스탬프 업데이트
다음 표에는 'StsRefreshTokenValidFrom 타임스탬프 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
기기 업데이트
다음 표에는 '기기 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
도메인의 페더레이션 설정 지정
다음 표에는 '도메인의 페더레이션 설정 지정' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
도메인 확인
다음 표에는 '도메인 확인' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
회사 정보 설정
다음 표에는 '회사 정보 설정' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
사용자 비밀번호 재설정
다음 표에는 '사용자 비밀번호 재설정' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
계정 사용 중지
다음 표에는 '계정 사용 중지' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
사용자의 애플리케이션 비밀번호 삭제
다음 표에는 '사용자의 애플리케이션 비밀번호 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
기기 삭제
다음 표에는 '기기 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
기기에 등록된 사용자 추가
다음 표에는 '기기에 등록된 사용자 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
기기에 등록된 소유자 추가
다음 표에는 '기기에 등록된 소유자 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
그룹에 소유자 추가
다음 표에는 '그룹에 소유자 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
OAuth2PermissionGrant 추가
다음 표에는 'OAuth2PermissionGrant 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
기기 추가
다음 표에는 '기기 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
사용자에게 앱 역할 할당 부여 추가
다음 표에는 '사용자에게 앱 역할 할당 부여 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
애플리케이션에 대한 동의
다음 표에는 '애플리케이션에 대한 동의' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
서비스 주 구성원 업데이트
다음 표에는 '서비스 주 구성원 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
서비스 주 구성원 추가
다음 표에는 '서비스 주 구성원 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
서비스 주 구성원 삭제
다음 표에는 '서비스 주 구성원 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
역할에 구성원 추가
다음 표에는 Add member to role 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | target.resource.product_object_id
if
If
if |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemsId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| TargetContextId | target.labels.key/value
|
| Version | metadata.product_version
|
역할에서 구성원 삭제
다음 표에는 '역할에서 구성원 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is Success then Action is set to ALLOW security_result.summary is Removed a user to an admin role successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is Removed a user to an admin role failed |
|
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.user.attribute.roles.name if Name is Role.ObjectId then NewValue is target.resource.product_object_id If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
| event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
라벨 추가
다음 표에는 '라벨 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is set to target.resource.product_object_id |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemsId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses |
| TargetContextId | target.labels.key/value |
| Version | metadata.product_version |
회사 만들기
다음 표에는 '회사 만들기' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
ObjectId is set to target.resource.product_object_id |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.labels.key/value |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
TeamsSessionStarted
다음 표에는 'TeamsSessionStarted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupAdded
다음 표에는 'ScheduleGroupAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupEdited
다음 표에는 'ScheduleGroupEdited' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_DELETION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleGroupDeleted
다음 표에는 'ScheduleGroupDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftAdded
다음 표에는 'ShiftAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftEdited
다음 표에는 'ShiftEdited' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
ShiftDeleted
다음 표에는 'ShiftDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffAdded
다음 표에는 'TimeOffAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffEdited
다음 표에는 'TimeOffEdited' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| Shift | target.resource.attribute.labels.value |
TimeOffDeleted
다음 표에는 'TimeOffDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftAdded
다음 표에는 'OpenShiftAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftEdited
다음 표에는 'OpenShiftEdited' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| OpenShift | target.resource.attribute.labels.key/value |
OpenShiftDeleted
다음 표에는 'OpenShiftDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleShared
다음 표에는 'ScheduleShared' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ClockedIn
다음 표에는 'ClockedIn' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
BreakStarted
다음 표에는 'BreakStarted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
BreakEnded
다음 표에는 'BreakEnded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.labels.key/value |
RequestAdded
다음 표에는 'RequestAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.label.key/value |
RequestRespondedTo
다음 표에는 'RequestResponseedTo' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
| ShiftRequest | target.resource.attribute.label.key/value |
RequestCancelled
다음 표에는 'RequestCancelled' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| ScheduleId | target.resource.product_object_id |
ScheduleSettingChanged
다음 표에는 'ScheduleSettingChanged' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
TeamSettingChanged
다음 표에는 'TeamSettingChanged' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
AppInstalled
다음 표에는 'AppInstalled' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| AddOnName | target.resource.name |
| Version | metadata.product_version |
| AppDistributionMode | about.labels.key/value |
| AzureADAppId | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TargetUserId | target.user.product_object_id |
MemberRemoved
다음 표에는 'MemberRemoved' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabRemoved
다음 표에는 'TabRemoved' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| AddOnName | target.resource.name |
| ChannelName | target.resource.attribute.labels.key/value |
| TeamName | target.group.group_display_name |
AppUninstalled
다음 표에는 'AppUninstalled' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| AddOnName | target.resource.name |
| Version | metadata.product_version |
| AppDistributionMode | about.labels.key/value |
| AzureADAppId | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TargetUserId | target.user.product_object_id |
MemberAdded
다음 표에는 'MemberAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| CommunicationType | about.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
TabAdded
다음 표에는 'TabAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| AddOnGuid | target.resource.product_object_id |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| AddOnName | target.resource.name |
| AddOnUrl | target.url |
| ChannelName | target.labels.key/value |
| TeamName | target.group.group_display_name |
ClockedOut
다음 표에는 'ClockedOut' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
| AADGroupId | target.labels.key/value |
| ScheduleId | target.resource.product_object_id |
TeamCreated
다음 표에는 'TeamCreated' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.resource.product_object_id |
| TeamName | target.resource.name |
| Version | metadata.product_version |
BotAddedToTeam
다음 표에는 'BotAddedToTeam' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AddOnGuid | target.resource.product_object_id |
| AddOnName | target.resource.name |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelAdded
다음 표에는 'ChannelAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorAdded
다음 표에는 'ConnectorAdded' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelSettingChanged
다음 표에는 'ChannelSettingChanged' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TeamsTenantSettingChanged
다음 표에는 'TeamsTenantSettingChanged' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
MemberRoleChanged
다음 표에는 'MemberRoleChanged' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name DisplayName is mapped to about.user.user_display_name Role is mapped to about.user.attribute.roles.name UPN is mapped to about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
DeletedAllOrganizationApps
다음 표에는 'DeletedAllOrganizationApps' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ChannelDeleted
다음 표에는 'ChannelDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TeamDeleted
다음 표에는 'TeamDeleted' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.resource.product_object_id |
| TeamName | target.resource.name |
BotRemovedFromTeam
다음 표에는 'BotRemovedFromTeam' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorRemoved
다음 표에는 'ConnectorRemoved' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
ConnectorUpdated
다음 표에는 'ConnectorUpdated' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.email_addresses |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
TabUpdated
다음 표에는 'TabUpdated' 작업과 'MicrosoftTeams' 워크로드의 해당 UDM 매핑과 로그 필드가 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AddOnGuid | target.labels.key/value |
| AddOnName | target.resource.name |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.labels.key/value |
| ChannelName | target.resource.attribute.labels.key/value |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| Members | about.user.userid or about.user.email_addresses
about.user.user_display_name about.user.attribute.roles.name |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| Name | target.resource.attribute.labels.key |
| NewValue | target.resource.attribute.labels.value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| TabType | target.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| AADGroupId | target.labels.key/value |
| AddOnUrl | target.url |
업데이트
다음 표에는 '업데이트' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism
LogonType is 2 then mechanism is set to INTERACTIVE LogonType is 3 or 8 then mechanism is set to NETWORK LogonType is 4 then mechanism is set to BATCH LogonType is 5 then mechanism is set to SERVICE LogonType is 7 then mechanism is set to UNLOCK LogonType is 9 then mechanism is set to NEW_CREDENTIALS LogonType is 9 then mechanism is set to REMOTE_INTERACTIVE LogonType is 9 then mechanism is set to CACHED_INTERACTIVE else mechanism is set to MECHANISM_UNSPECIFIED |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Item | network.email.subject
target.resource.product_object_id target.resource.name target.file.size network.email.mail_id target.file.full_path Id is mapped to target.resource.product_object_id Subject is mapped to network.email.subject SizeInBytes is mapped to target.file.size Item.ParentFolder.Path is mapped to target.resource.name InternetMessageId is mapped to network.email.mail_id Attachments is mapped to target.file.full_path |
| ModifiedProperties | securiy_result.summary |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
FolderBind
다음 표에는 'FolderBind' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientRequestId | principal.labels.key/value |
| Item | target.resource.product_object_id
target_resource_name network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
SendOnBehalf
다음 표에는 'SendOnBehalf' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.email_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| SendOnBehalfOfUserSmtp | target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
SendAs
다음 표에는 'SendAs' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SendAsUserMailboxGuid | about.labels.key/value |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.Subject is mapped to network.email.subject Item.Attachments is mapped to target.file.full_path Item.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| SendAsUserSmtp | target.user.userid or target.user.email_addresses |
| Version | metadata.product_version |
보내기
다음 표에는 '보내기' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | network.email.subject
network.email.mail_id target.file.full_path target.resource.product_object_id |
| SessionId | network.session_id |
| Version | metadata.product_version |
New-InboxRule
다음 표에는 'New-InboxRule' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SessionId | network.session_id |
| Version | metadata.product_version |
| Parameters | security_result.rule_labels.key/value |
| AppId | target.labels.key/value |
Set-InboxRule
다음 표에는 'Set-InboxRule' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
ObjectId is set to target.group.product_object_id target.resource.resource_type is set to SETTING |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | security_result.rule_labels.key/value |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
MoveToDeletedItems
다음 표에는 'MoveToDeletedItems' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| DestFolder | target.resource.product_object_id
target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id Subject is mapped to network.email.subject ParentFolder.Path is mapped to about.file.full_path AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
| Folder | src.resource.product_object_id
src.resource.name |
| ClientRequestId | principal.labels.key/value |
| AppId | target.labels.key/value |
이동
다음 표에는 '이동' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| DestFolder | target.resource.product_object_id
target.resource.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
| Folder | src.resource.product_object_id
src.resource.name |
MailItemsAccessed
다음 표에는 'MailItemsAccessed' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| OperationProperties | security_result.detection_fields.key/value. |
| SessionId | network.session_id |
| Version | metadata.product_version |
| OperationCount | about.labels.key/value |
| AppId | target.labels.key/value |
| Folders | about.resource.name
about.resource.product_object_id network.email.mail_id Folders.Path is mapped to about.resource.name Folders.Id is mapped to about.resource.product_object_id Folders.0.FolderItems.0.InternetMessageId network_email_id |
MailboxLogin
다음 표에는 'MailboxLogin' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_LOGIN
auth.Type is MACHINE |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| SessionId | network.session_id |
| Version | metadata.product_version |
SoftDelete
다음 표에는 'SoftDelete' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id AffectedItems.Attachments is mapped to about.file.full_path AffectedItems.Subject is mapped to network.email.subject AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id |
| Folder | target.resource.name
target.resource.product_object_id Folder.Path is mapped to target.resource.name Folder.Id is mapped to target.resource.product_object_id |
| SessionId | network.session_id |
| ClientRequestId | principal.labels.key/value |
| Version | metadata.product_version |
HardDelete
다음 표에는 'HardDelete' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| AffectedItems | about.file.full_path
network.email.subject network.email.mail_id |
| Version | metadata.product_version |
| ClientAppId | target.labels.key/value |
| AppId | target.labels.key/value |
| Folder | target.resource.name
target.resource.product_object_id |
만들기
다음 표에는 '만들기' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.resource.name
target.resource.product_object_id target.file.full_path network.email.subject network.email.mail_id Item.id is mapped to target.resource.product_object_id Item.InternetMessageId is mapped to network.email.mail_id Item.ParentFolder.Path is mapped to target.resource.name Item.Subject is mapped to network.email.subject Attachment may present or not in log so write grok for this. Item.Attachments is mapped to target.file.full_path |
| SessionId | network.session_id |
| Version | metadata.product_version |
RemoveFolderPermissions
다음 표에는 'RemoveFolderPermissions' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.resource.attribute.permissions.name target.user.email_addresses or target.user.userid Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid Item.ParentFolder.Path is mapped to target.file.full_path User rights is mapped to target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
ModifyFolderPermissions
다음 표에는 'ModifyFolderPermissions' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
AddFolderPermissions
다음 표에는 'AddFolderPermissions' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ResultStatus is Succeeded Action is set to ALLOW else Action is set to BLOCK |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| Item | target.file.full_path
target.user.email_addresses or target.user.userid target.resource.attribute.permissions.name Path is mapped to target.file.full_path Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid User Rights is mapped to target.resource.attribute.permissions.name |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
Remove-MailboxPermission
다음 표에는 'Remove-MailboxPermission' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Add-MailboxPermission
다음 표에는 'Add-MailboxPermission' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
| AppId | target.resource.attribute.labels.key/value |
| Parameters | security_result.detection_fields.key/value |
| ObjectId | target.resource.attribute.labels.key/value |
UpdateInboxRules
다음 표에는 'UpdateInboxRules' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
| Item | target.resource.product_object_id
target.resource.name Item.ParentFolder.name is mapped to target.resource.name Item.ParentFolder.id is mapped to target.resource.product_object_id |
| OperationProperties | security_result.rule_id
security_result.rule_name security_result.detection_fields.key/value if Name is RuleId then Value is mapped to security_result.rule_id if Name is RuleName then Value is mapped to security_result.rule_name else security_result.detection_fields.key/value |
| ClientRequestId | principal.labels.key/value |
UpdateCalendarDelegation
다음 표에는 'UpdateCalendarDelegation' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is SERVICE_ACCOUNT |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
ApplyRecordLabel
다음 표에는 'ApplyRecordLabel' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
UpdateFolderPermissions
다음 표에는 'UpdateFolderPermissions' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
Set-User
다음 표에는 'Set-User' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| Version | metadata.product_version |
ViewReport
다음 표에는 'ViewReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is mapped to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| ConsumptionMethod | target.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| DistributionMethod | about.labels.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.attribute.labels.key/value |
GenerateEmbedToken
다음 표에는 'GenerateEmbedToken' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| ConsumptionMethod | target.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| DistributionMethod | about.labels.key/value |
| ReportId | target.resource.attribute.labels.key/value |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| EmbedTokenId | target.resource.product_object_id |
| RLSIdentities | about.user.email_addresses
about.user.attribute.roles.name RLSIdentities.UserName is mapped to about.user.email_addresses RLSIdentities.Roles is mapped to about.user.attribute.roles.name |
CreateDataset
다음 표에는 'CreateDataset' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
GenerateCustomVisualAADAccessToken
다음 표에는 'GenerateCustomVisualAADAccessToken' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| CustomVisualAccessTokenResourceId | target.resource.product_object_id |
| CustomVisualAccessTokenSiteUri | target.url |
DeleteOrganizationalGalleryItem
다음 표에는 'DeleteOrganizationalGalleryItem' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
DeleteAlmPipeline
다음 표에는 'DeleteAlmPipeline' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
AddDatasourceToGateway
다음 표에는 'AddDatasourceToGateway' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| GatewayId | target.resource.attribute.labels.key/value |
| GatewayType | target.labels.key/value |
| DatasourceId | target.resource.product_object_id |
| DatasourceType | target.resource.attribute.labels.key/value |
AssignWorkspaceToPipeline
다음 표에는 'AssignWorkspaceToPipeline' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | principal.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | principal.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| DeploymentPipelineStageOrder | target.labels.key/value |
CancelDataflowRefresh
다음 표에는 'CancelDataflowRefresh' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
ChangeCapacityState
다음 표에는 'ChangeCapacityState' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CapacityName | target.resource.name |
| CapacityUsers | about.labels.key/value |
| CapacityState | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
ChangeGatewayAdministrators
다음 표에는 'ChangeGatewayAdministrators' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.product_object_id |
| UserInformation | about.user.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
InsertOrganizationalGalleryItem
다음 표에는 'InsertOrganizationalGalleryItem' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateAlmPipeline
다음 표에는 'CreateAlmPipeline' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| DeploymentPipelineId | target.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateApp
다음 표에는 'CreateApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
CreateDashboard
다음 표에는 'CreateDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dashboard created successfully else security_result.summary is Dashboard not created |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
CreateDataflow
다음 표에는 'CreateDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_CREATION
If IsSuccess is true then security_result.summary is Dataflow created successfully else security_result.summary is Dataflow not created |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DataflowType | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
CreateEmailSubscription
다음 표에는 'CreateEmailSubscription' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
If IsSuccess is true then security_result.summary is EmailSubscription created successfully else security_result.summary is EmailSubscription not created ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| SubscriptionSchedule | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| SubscribeeInformation | network.email.to |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
CreateFolder
다음 표에는 'CreateFolder' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| FolderDisplayName | target.resource.name |
| FolderObjectId | target.resource.attribute.labels.key/value |
CreateGateway
다음 표에는 'CreateGateway' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| GatewayId | target.resource.product_object_id |
| GatewayType | target.labels.key/value |
CreateTemplateApp
다음 표에는 'CreateTemplateApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
DeleteComment
다음 표에는 'DeleteComment' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value Name is mapped to target.resource.name ArtifactObjectId is set to target.resource.product_object_id AnnotatedItemType is mapped to target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
DeleteDashboard
다음 표에는 'DeleteDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| DashboardName | target.resource.name |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| DistributionMethod | about.labels.key/value |
DeleteDataflow
다음 표에는 'DeleteDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
DeleteDataset
다음 표에는 'DeleteDataset' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
DeleteEmailSubscription
다음 표에는 'DeleteEmailSubscription' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_DELETION
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
DeleteFolder
다음 표에는 'DeleteFolder' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
if isSuccess is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteGateway
다음 표에는 'DeleteGateway' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteGroup
다음 표에는 'DeleteGroup' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
DeleteReport
다음 표에는 'DeleteReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
DownloadReport
다음 표에는 'DownloadReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
EditDataset
다음 표에는 'EditDataset' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
EditDatasetProperties
다음 표에는 'EditDatasetProperties' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetCertificationStage | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
EditReport
다음 표에는 'EditReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| ReportId | target.resource.attribute.labels.key/value |
| ReportType | target.resource.attribute.labels.key/value |
ExportDataflow
다음 표에는 'ExportDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Dataflow Exported Successfully else security_result.summary is Dataflow Not Exported |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| DataflowName | target.rsource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
ExportReport
다음 표에는 'ExportReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
if isSuccess is TRUE then security_result.summary is Report Exported Successfully else security_result.summary is Report Not Exported |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| DatasetId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| LastRefreshTime | about.labels.key/value |
InstallApp
다음 표에는 'InstallApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
InstallTemplateApp
다음 표에는 'InstallTemplateApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppFolderObjectId | about.labels.key/value |
| TemplateAppOwnerTenantObjectId | principal.user.product_object_id |
| TemplateAppVersion | metadata.product_version |
| TemplateAppObjectId | target.resource.product_object_id |
| TemplatePackageName | target.resource.name |
PostComment
다음 표에는 'PostComment' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| AuditedArtifactInformation | target.resource.name
target.resource.product_object_id target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
PrintDashboard
다음 표에는 'PrintDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
PrintReport
다음 표에는 'PrintReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
UnassignWorkspaceFromPipeline
다음 표에는 'UnassignWorkspaceFromPipeline' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| DeploymentPipelineId | target.resource.attribute.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
RemoveDatasourceFromGateway
다음 표에는 'RemoveDatasourceFromGateway' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.attribute.label.key/value |
| DatasourceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RenameDashboard
다음 표에는 'RenameDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to target.file.full_path |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
RequestDataflowRefresh
다음 표에는 'RequestDataflowRefresh' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowRefreshScheduleType | target.labels.key/value |
| DataflowType | target.resource.attribute.label.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RefreshDataset
다음 표에는 'RefreshDataset' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RefreshType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
SensitivityLabelApplied
다음 표에는 'SensitivityLabelApplied' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| SensitivityLabelId | target.resource.product_object_id |
| ActionSourceDetail | principal.labels.key/value |
| LabelEventType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActionSourceDetail | principal.labels.key/value |
| ArtifactType | about.labels.key/value |
SensitivityLabelRemoved
다음 표에는 'SensitivityLabelRemoved' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OldSensitivityLabelId | target.resource.product_object_id |
| ActionSource | principal.labels.key is set to ActionSource
principal.labels.value is set to {Value} |
| LabelEventType | target.labels.key/value |
| LastRefreshTime | about.labels.key/value |
| ActionSourceDetail | principal.labels.key/value |
| ArtifactType | about.labels.key/value |
SetScheduledRefreshOnDataflow
다음 표에는 'SetScheduledRefreshOnDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.label.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
SetScheduledRefresh
다음 표에는 'SetScheduledRefresh' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.rsource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| Schedules | target.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
ShareDashboard
다음 표에는 'ShareDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| DashboardId | target.resource.product_object_id |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| SharingAction | about.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
ShareReport
다음 표에는 'ShareReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| Datasets | about.resource.product_object_id
about.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| ArtifactId | target.resource.product_object_id |
| ArtifactName | target.resource.name |
| SharingAction | about.labels.key/value |
| ShareLinkId | about.labels.key/value |
OptInForProTrial
다음 표에는 'OptInForProTrial' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UnpublishApp
다음 표에는 'UnpublishApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkspaceId | target.resource.product_object_id |
| WorkSpaceName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateOrganizationalGalleryItem
다음 표에는 'UpdateOrganizationalGalleryItem' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| OrganizationalGalleryItemId | target.resource.product_object_id |
| OrganizationalGalleryItemDisplayName | target.resource.name |
| OrganizationalGalleryItemPublishTime | target.resource.attribute.labels.key/value |
UpdateAlmPipelineAccess
다음 표에는 'UpdateAlmPipelineAccess' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DeploymentPipelineObjectId | target.resource.product_object_id |
| DeploymentPipelineDisplayName | target.resource.name |
| DeploymentPipelineAccesses | about.user.userid
about.user.attribute.permissions.name userid is mapped to about.user.userid Rolepermission is mapped to about.user.attribute.permissions.name |
UpdateInstalledTemplateAppParameters
다음 표에는 'UpdateInstalledTemplateAppParameters' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
| TemplatePackageName | target.resource.name |
| TemplateAppVersion | metadata.product_version |
| TemplateAppFolderObjectId | about.labels.key/value |
UpdatedAdminFeatureSwitch
다음 표에는 'UpdatedAdminFeatureSwitch' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| SwitchState | about.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateApp
다음 표에는 'UpdateApp' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| WorkspaceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDataflow
다음 표에는 'UpdateDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDatasetParameters
다음 표에는 'UpdateDatasetParameters' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.product_object_id |
| DataConnectivityMode | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| LastRefreshTime | about.labels.key/value |
UpdateEmailSubscription
다음 표에는 'UpdateEmailSubscription' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION
target.resource.type is mapped to TASK |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| SubscriptionSchedule | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| SubscribeeInformation | network.email.to |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
UpdateFolder
다음 표에는 'UpdateFolder' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| FolderDisplayName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateFolderAccess
다음 표에는 'UpdateFolderAccess' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| FolderObjectId | target.resource.product_object_id |
| FolderDisplayName | target.resource.name |
| FolderAccessRequests | about.user.userid
about.user.product_object_id about.user.attribute.permissions.type UserId is mapped to about.user.userid UserObjectId is set to about.user.product_object_id RolePermissions is mapped to about.user.attribute.permissions.type |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateDatasourceCredentials
다음 표에는 'UpdateDatasourceCredentials' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| GatewayId | target.resource.attribute.labels.key/value |
| DatasourceId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
UpdateTemplateAppSettings
다음 표에는 'UpdateTemplateAppSettings' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| ActivityId | principal.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
UpdateTemplateAppTestPackagePermissions
다음 표에는 'UpdateTemplateAppTestPackagePermissions' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| TemplateAppObjectId | target.resource.product_object_id |
ViewDashboard
다음 표에는 'ViewDashboard' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ConsumptionMethod | target.labels.key/value |
| DistributionMethod | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| Datasets | about.resource.product_object_id
about.resource.name DatasetId is mapped to about.resource.product_object_id DatasetName is mapped to about.resource.name |
| DashboardId | target.resource.product_object_id |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DashboardName | target.resource.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
ViewDataflow
다음 표에는 'ViewDataflow' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| CapacityId | about.labels.key/value |
| CapacityName | about.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DataflowId | target.resource.product_object_id |
| DataflowName | target.resource.name |
| DataflowType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
AddTile
다음 표에는 'AddTile' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| TileText | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
RunEmailSubscription
다음 표에는 'RunEmailSubscription' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCHEDULED_TASK_CREATION
target.resource.resource_type is TASK If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AppName | target.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.label.key/value |
| DashboardName | target.resource.name |
| WorkspaceId | target.resource.attribute.label.key/value |
| DashboardId | target.resource.product_object_id |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
CreateReport
다음 표에는 'CreateReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| UserAgent | network.http.user_agent |
| WorkSpaceName | target.resource.attribute.label.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.label.key/value |
| DatasetId | target.resource.attribute.label.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| DistributionMethod | about.labels.key/value |
GetSnapshots
다음 표에는 'GetSnapshots' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
OptInForPPUTrial
다음 표에는 'OptInForPPUTrial' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
Set-MailUser
다음 표에는 'Set-MailUser' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
Set-MailContact
다음 표에는 'Set-MailContact' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
Set-Mailbox
다음 표에는 'Set-Mailbox' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
Object is mapped to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Set-DistributionGroup
다음 표에는 'Set-DistributionGroup' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is Group members definition ResultStatus is True Action is set to ALLOW else Action is set to BLOCK |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Set-Contact
다음 표에는 'Set-Contact' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| Version | metadata.product_version |
Set-CASMailbox
다음 표에는 'Set-CASMailbox' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to target.group.group_display_name |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| ModifiedObjectResolvedName | about.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Set-CalendarProcessing
다음 표에는 'Set-CalendarProcessing' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.user_display_name
If Name is ResourceDelegates then Value is mapped to target.user.user_display_name |
| SessionId | network.session_id |
| Version | metadata.product_version |
Set-AdminAuditLogConfig
다음 표에는 'Set-AdminAuditLogConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. ObjectId is mapped to target.url target.resource.resource_type is set to SETTING |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| ModifiedObjectResolvedName | about.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Remove-UnifiedGroup
다음 표에는 'Remove-UnifiedGroup' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| Version | metadata.product_version |
Remove-MigrationUser
다음 표에는 'Remove-MigrationUser' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION
ObjectId is set to target.user.userid or target.user.email_addresses |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.detection_fields.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
Update-eDiscoveryCaseAdmin
다음 표에는 'Update-eDiscoveryCaseAdmin' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-DistributionGroupMember
다음 표에는 'Remove-DistributionGroupMember' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
ViewedSearchExported
다음 표에는 'ViewedSearchExported' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
AddWorkingSetQueryToWorkingSet
다음 표에는 'AddWorkingSetQueryToWorkingSet' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AddQueryToWorkingSet
다음 표에는 'AddQueryToworkingSet' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
RunAlgo
다음 표에는 'RunAlgo' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AnnotateDocument
다음 표에는 'AnnotateDocument' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
BurnJob
다음 표에는 'BurnJob' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateWorkingSet
다음 표에는 'CreateworkingSet' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateWorkingsetSearch
다음 표에는 'CreateworkingsetSearch' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
CreateTag
다음 표에는 'CreateTag' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DeleteWorkingsetSearch
다음 표에는 'DeleteWorkingsetSearch' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DeleteTag
다음 표에는 'DeleteTag' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
DownloadDocument
다음 표에는 'DownloadDocument' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateTag
다음 표에는 'UpdateTag' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
ExportJob
다음 표에는 'ExportJob' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateCaseSettings
다음 표에는 'UpdateCaseSettings' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
UpdateWorkingsetSearch
다음 표에는 'UpdateWorkingsetSearch' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
TagFiles
다음 표에는 'TagFiles' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
ViewDocument
다음 표에는 'ViewDocument' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| CaseId | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| StartTime | target.resource.attribute.creation_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
SearchViewed
다음 표에는 'SearchViewed' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
If Name is SearchIds then Value is mapped to target.resource.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseMemberAdded
다음 표에는 'CaseMemberAdded' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchUpdated
다음 표에는 'SearchUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseAdminUpdated
다음 표에는 'CaseAdminUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | about.user.email_address
about.user.product_object_id If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
CaseUpdated
다음 표에는 'CaseUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseMemberUpdated
다음 표에는 'CaseMemberUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resrource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchPermissionUpdated
다음 표에는 'SearchPermissionUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldUpdated
다음 표에는 'HoldUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchRemoved
다음 표에는 'SearchRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseAdminRemoved
다음 표에는 'CaseAdminRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
target.user.email_address target.user.userid If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} target_user is mapped to target.user.email_addresses or target.user.userid |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
CaseRemoved
다음 표에는 'CaseRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchPermissionRemoved
다음 표에는 'SearchPermissionRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldRemoved
다음 표에는 'HoldRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
HoldCreated
다음 표에는 'HoldCreated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchCreated
다음 표에는 'SearchCreated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_detail |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
CaseAdminAdded
다음 표에는 'CaseAdminAdded' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.prdouct_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchStarted
다음 표에는 'SearchStarted' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchReport
다음 표에는 'SearchReport' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
SearchStopped
다음 표에는 'SearchStopped' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
CaseViewed
다음 표에는 'CaseViewed' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_detail |
| ExtendedProperties | target.resource.product_object_id
about.user.email_addresses about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_detail |
| Query | security_result.description |
| SharepointLocations | security_result.category_detail |
SearchExportDownloaded
다음 표에는 'SearchExportDownload' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
CaseMemberRemoved
다음 표에는 'CaseMemberRemoved' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_id If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} Extract target_user information using grok grok { match is mapped to { Parameters .*-(Member|User) \{DATA:target_user}\ } } |
| Version | metadata.product_version |
CaseAdded
다음 표에는 'CaseAdded' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.user.email_address about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
SearchPermissionCreated
다음 표에는 'SearchPermissionCreated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | principal.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
| Version | metadata.product_version |
NetworkConfigurationUpdated
다음 표에는 'NetworkConfigurationUpdated' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
ProcessProfileFields
다음 표에는 'ProcessProfileFields' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
SupervisorAdminToggled
다음 표에는 'SupervisorAdminToggled' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
NetworkSecurityConfigurationUpdated
다음 표에는 'NetworkSecurityConfigurationUpdated' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileCreated
다음 표에는 'FileCreated' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE {
security_result.action is ALLOW} else {security_result.action is BLOCK} |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
GroupCreation
다음 표에는 'GroupCreation' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
MessageDeleted
다음 표에는 'MessageDeleted' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
GroupDeletion
다음 표에는 'GroupDeletion' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
DataExport
다음 표에는 'DataExport' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileVisited
다음 표에는 'FileVisited' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_READ
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
StreamInvokeVideoView
다음 표에는 'StreamInvokeVideoView' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoShare
다음 표에는 'StreamInvokeVideoShare' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoLike
다음 표에는 'StreamInvokeVideoLike' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoUnLike
다음 표에는 'StreamInvokeVideoUnLike' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoUpload
다음 표에는 'StreamInvokeVideoUpload' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoDownload
다음 표에는 'StreamInvokeVideoDownload' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoSetLink
다음 표에는 'StreamInvokeVideoSetLink' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateGroup
다음 표에는 'StreamCreateGroup' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditGroup
다음 표에는 'StreamEditGroup' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteGroup
다음 표에는 'StreamDeleteGroup' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_DELETION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditGroupMemberships
다음 표에는 'StreamEditGroupMemberships' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateChannel
다음 표에는 'StreamCreateChannel' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditChannel
다음 표에는 'StreamEditChannel' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteChannel
다음 표에는 'StreamDeleteChannel' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeChannelSetThumbnail
다음 표에는 'StreamInvokeChannelSetThumbnail' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | network.http.referral_url |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditVideoPermissions
다음 표에는 'StreamEditVideoPermissions' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditVideo
다음 표에는 'StreamEditVideo' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideo
다음 표에는 'StreamDeleteVideo' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditUserSettings
다음 표에는 'StreamEditUserSettings' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamEditAdminTenantSettings
다음 표에는 'StreamEditAdminTenantSettings' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateVideoComment
다음 표에는 'StreamCreateVideoComment' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideoComment
다음 표에는 'StreamDeleteVideoComment' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoTextTrackUpload
다음 표에는 'StreamInvokeVideoTextTrackUpload' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamDeleteVideoTextTrack
다음 표에는 'StreamDeleteVideoTextTrack' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoThumbnailUpload
다음 표에는 'StreamInvokeVideoThumbnailUpload' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is Succeeded then action is ALLOW else action is BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamCreateVideo
다음 표에는 'StreamCreateVideo' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url_back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
DlpRuleMatch
다음 표에는 DlpRuleMatch 작업과 Exchange/SharePoint/OneDrive 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to EMAIL_TRANSACTION
|
|
| SharePointMetaData | network.http.referral_url
|
| ExchangeMetaData | network.email.from
|
| ExceptionInfo | about.labels.key/value
|
| PolicyDetails | target.resource.product_object_id
|
| IncidentId | about.labels.key/value
|
| Version | metadata.product_version
|
| Site | target.labels.key/value
|
| ItemType | target.resource.attribute.labels.key/value
|
| EventSource | principal.application
|
| SourceName | principal.labels.key/value
|
| UserAgent | network.http.user_agent
|
| MachineDomainInfo | target.asset.attribute.labels.key/value
|
| MachineId | target.asset.product_object_id
|
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpRuleUndo
다음 표에는 'DlpRuleUndo' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
| SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
| ExceptionInfo | about.labels.key/value |
| PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
| IncidentId | about.labels.key/value |
| Version | metadata.product_version |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
DlpInfo
다음 표에는 'DlpInfo' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
security_result.category is set to DATA_EXFILTRATION ObjectId is set to network.email.mail_id |
|
| SharePointMetaData | network.http.referral_url
network.email.from target.file.full_path target.url target.file.size SiteCollectionUrl is mapped to network.http.referral_url From is mapped to network.email.from (if ExchangeMetadata field not getting in log) FileName is mapped to target.file.full_path FilePathUrl is mapped to target.url FileSize is mapped to target.file.size |
| ExceptionInfo | about.labels.key/value |
| PolicyDetails | target.resource.product_object_id
security_result.summary security_result.description security_result.rule_id security_result.rule_name security_result.severity PolicyId is mapped to target.resource.product_object_id PolicyName is mapped to security_result.summary SensitiveInformationTypeName is mapped to security_result.description RuleId is mapped to security_result.rule_id RuleName is mapped to security_result.rule_name Severity is mapped to security_result.severity |
| IncidentId | about.labels.key/value |
| Version | metadata.product_version |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| EndpointMetaData.SensitiveInfoTypeData.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.Confidence | security_result.confidence_details |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.ClassifierType | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.UniqueCount | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId | security_result.detection_fields.key/value |
| EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value | security_result.detection_fields.key/value |
MipLabel
다음 표에는 'MipLabel' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_UNCATEGORIZED
ObjectId is set to network.email.mail_id |
|
| ApplicationMode | about.labels.key/value |
| ItemName | network.email.subject |
| LabelAppliedDateTime | principal.labels.key/value |
| LabelId | target.resource.product_object_id |
| LabelName | target.resource.name |
| Receivers | network.email.to |
| Sender | network.email.from |
| Version | metadata.product_version |
SiteCollectionCreated
다음 표에는 'SiteCollectionCreated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value |
| EventData | target.resource.name |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
| Version | metadata.product_version |
SiteDeleted
다음 표에는 'SiteDeleted' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationFileExtension | target.file.mime_type |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| MachineId | target.asset.product_object_id |
PreviewModeEnabledSet
다음 표에는 'PreviewModeEnabledSet' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is mapped to SETTING |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
OfficeOnDemandSet
다음 표에는 'OfficeOnDemandSet' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteJoined
다음 표에는 'HubSiteJoined' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteRegistered
다음 표에는 'HubSiteRegistered' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
target.resource.attribute.labels.key/value HubSiteIdis mapped to target.resource.attribute.labels.key/value IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteUnjoined
다음 표에는 'HubSiteUnjoined' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value
IsHubSiteIdis mapped to target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
HubSiteUnregistered
다음 표에는 'HubSiteUnregistered' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
ObjectID is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| EventData | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
SharingPolicyChanged
다음 표에는 'SharingPolicyChanged' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| AssertingApplicationId | about.labels.key/value |
| ModifiedProperties | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
NetworkAccessPolicyChanged
다음 표에는 'NetworkAccessPolicyChanged' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.ip
target.labels.key/value if Name is IPAddressAllowList then NewValue is mapped to target.ip else target.labels.key/value |
| Site | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
AlertEntityGenerated
다음 표에는 'AlertEntityGenerated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AlertTriggered
다음 표에는 'AlertTriggered' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
AlertUpdated
다음 표에는 'AlertUpdated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT
security_result.category is set to DATA_EXFILTRATION |
|
| AlertId | target.resource.product_object_id |
| AlertType | target.resource.attribute.labels.key/value |
| Name | security_result.summary |
| PolicyId | target.labels.key/value |
| Status | target.resource.attribute.labels.key/value |
| Severity | security_result.severity |
| Category | security_result.category_details |
| Source | security_result.description |
| Comments | about.labels.key/value |
| Data | about.labels.key/value |
| AlertEntityId | target.user.userid or target.user.email_addresses |
| EntityType | target.resource.attribute.labels.key/value |
| Version | metadata.product_version |
Get-ComplianceCase
다음 표에는 'Get-ComplianceCase' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-CaseHoldPolicy
다음 표에는 'Get-CaseHoldPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-ComplianceSearch
다음 표에는 'Get-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Remove-CaseHoldPolicy
다음 표에는 'Remove-CaseHoldPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Set-CaseHoldPolicy
다음 표에는 'Set-CaseHoldPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
New-CaseHoldRule
다음 표에는 'New-CaseHoldRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Remove-CaseHoldRule
다음 표에는 'Remove-CaseHoldRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-CaseHoldRule
다음 표에는 'Set-CaseHoldRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Get-ComplianceSearchAction
다음 표에는 'Get-ComplianceSearchAction' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
New-ComplianceCase
다음 표에는 'New-ComplianceCase' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.name |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Remove-ComplianceCase
다음 표에는 'Remove-ComplianceCase' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Set-ComplianceCase
다음 표에는 'Set-ComplianceCase' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Add-ComplianceCaseMember
다음 표에는 'Add-ComplianceCaseMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-ComplianceCaseMember
다음 표에는 'Remove-ComplianceCaseMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Update-ComplianceCaseMember
다음 표에는 'Update-ComplianceCaseMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
New-ComplianceSearch
다음 표에는 'New-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-ComplianceSearch
다음 표에는 'Remove-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-ComplianceSearch
다음 표에는 'Set-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Start-ComplianceSearch
다음 표에는 'Start-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Stop-ComplianceSearch
다음 표에는 'Stop-ComplianceSearch' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
New-ComplianceSearchAction
다음 표에는 'New-ComplianceSearchAction' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-ComplianceSearchAction
다음 표에는 'Remove-ComplianceSearchAction' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
New-ComplianceSecurityFilter
다음 표에는 'New-ComplianceSecurityFilter' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-ComplianceSecurityFilter
다음 표에는 'Remove-ComplianceSecurityFilter' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-ComplianceSecurityFilter
다음 표에는 'Set-ComplianceSecurityFilter' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Add-eDiscoveryCaseAdmin
다음 표에는 'Add-eDiscoveryCaseAdmin' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Remove-eDiscoveryCaseAdmin
다음 표에서는 'Remove-eDiscoveryCaseAdmin' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑을 보여줍니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_DELETION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.user.email_addresses target.user.userid |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
New-CaseHoldPolicy
다음 표에는 'New-CaseHoldPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-AadProtectionLevel
다음 표에는 'Get-AadProtectionLevel' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-AutoSensitivityLabelPolicy
다음 표에는 'Get-AutoSensitivityLabelPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-DlpSensitiveInformationType
다음 표에는 'Get-DlpSensitiveInformationType' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-Label
다음 표에는 'Get-Label' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-LabelPolicy
다음 표에는 'Get-LabelPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
Get-PolicyConfig
다음 표에는 'Get-PolicyConfig' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Version | metadata.product_version |
ValidaterbacAccessCheck
다음 표에는 'ValidaterbacAccessCheck' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| AadAppId | target.labels.key/value |
| DataType | security_result.description |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| Version | metadata.product_version |
ApplicableAdaptiveScopeChange
다음 표에는 'ApplicableAdaptiveScopeChange' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.resource.product_object_id
If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id |
| CorrelationId | security_result.detection_fields |
| ObjectType | security_result.summary |
NewComplianceTag
다음 표에는 'NewComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionComplianceRule
다음 표에는 'NewRetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
NewRetentionCompliancePolicy
다음 표에는 'NewRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_CREATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveComplianceTag
다음 표에는 'RemoveComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
RemoveRetentionCompliancePolicy
다음 표에는 'RemoveRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetComplianceTag
다음 표에는 'SetComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is LabelName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionComplianceRule
다음 표에는 'SetRetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
SetRetentionCompliancePolicy
다음 표에는 'SetRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
Get-CsTeamsUpgradeOverridePolicy
다음 표에는 'Get-CsTeamsUpgradeOverridePolicy' 작업과 'SkypeForBusiness' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | security_result.description
If Name is Tenant then Value is mapped to tenate_value If Name is Identity then Vale is mapped to identity_value security_result.description is Tenant = {tenate_value} / Identity = {identity_value} |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
TeamsAdminAction
다음 표에는 'TeamsAdminAction' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
If ResultStatus is Succeeded then Action is set to ALLOW If ResultStatus is Failed then Action is set to BLOCK |
|
| AdminActionDetail | security_result.summary |
| ClientApplication | network.http.user_agent |
| ExtraProperties | additional.fields.key/value.string_value |
| UserClaims | security_result.description |
| Version | metadata.product_version |
Update-DistributionGroupMember
다음 표에는 'Update-DistributionGroupMember' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| ClientVersion | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.description
target.group.product_object_id or target.group.email_addresses target.group.attribute.labels.key/value If Name is Members then Value is mapped to security_result.description If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
| Version | metadata.product_version |
SupervisoryReviewOLAudit
다음 표에는 'SupervisoryReviewOLAudit' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
extract auditscore form ResultStatus using ResultStatus .*?Score:{auditScore} and map with security_result.confidenece_details is {auditScore} security_result.confidence will map based on auditScore |
|
| LogonType | extensions.auth.mechanism |
| InternalLogonType | about.labels.key/value |
| MailboxGuid | target.labels.key/value |
| MailboxOwnerUPN | target.user.email_addresses or target.user.userid |
| MailboxOwnerSid | target.user.windows_sid |
| MailboxOwnerMasterAccountSid | target.labels.key/value |
| LogonUserSid | principal.user.windows_sid |
| LogonUserDisplayName | principal.user.user_display_name |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientInfoString | network.http.user_agent |
| ClientIPAddress | principal.ip and principal.port |
| ClientMachineName | principal.hostname |
| ClientProcessName | principal.process.file.full_path |
| ClientVersion | metadata.product_version |
| ExchangeDetails | network.direection
network.email.from network.email.mail_id network.email.to network.email.subject If Directionality is Incoming then network.direction is mapped to INBOUND If Directionality is Outgoining then network.direction is mapped to OUTBOUND From is mapped to network.email.from InternetMessageId is mapped to network.email.mail_id Recipients is mapped to network.email.to Subject is mapped to network.email.subject |
| Version | metadata.product_version |
CrmDefaultActivity
다음 표에는 'CrmDefaultActivity' 작업과 'CRM' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| CrmOrganizationUniqueName | principal.resource.name |
| InstanceUrl | target.url |
| ItemUrl | principal.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| Fields | about.labels.key/value |
| EntityId | principal.labels.key/value |
| EntityName | principal.labels.key/value |
| Message | security_result.summary |
| Query | security_result.description |
| PrimaryFieldValue | about.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| QueryResults | about.labels.key/value |
| ServiceContextId | principal.labels.key/value |
| ServiceContextIdType | about.labels.key/value |
| ServiceName | principal.application |
| SystemUserId | principal.labels.key/value |
| Version | metadata.product_version |
TIMailData
다음 표에는 'TIMailData' 작업과 'ThreatIntelligence' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to EMAIL_TRANSACTION
ObjectId is set to metadata.product_log_id |
|
| AttachmentData | about.file.full_path
about.file.mime_type about.file.sha256 security_result.category_details AttachmentData.FileName is mapped to about.file.full_path AttachmentData.FileType is mapped to about.file.mime_type AttachmentData.SHA256 is mapped to about.file.sha256 AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details |
| DetectionType | security_result.summary |
| DetectionMethod | security_result.description |
| InternetMessageId | about.labels.key/value |
| NetworkMessageId | about.labels.key/value |
| P1Sender | principal.user.email_addresses |
| P2Sender | network.email.from |
| Policy | security_result.rule_name |
| PolicyAction | security_result.action
PolicyAction is Quarantine then action is set to QUARANTINE PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION |
| Recipients | network.email.to |
| SenderIp | src.ip |
| Subject | network.email.subject |
| Verdict | security_result.category |
| MessageTime | target.resource.attribute.labels.key/value |
| EventDeepLink | metadata.url_back_to_product |
| DeliveryAction | about.labels.key/value |
| OriginalDeliveryLocation | about.labels.key/value |
| LatestDeliveryLocation | about.labels.key/value |
| Directionality | network.direction |
| ThreatsAndDetectionTech | about.labels.key/value |
| AdditionalActionsAndResults | about.labels.key/value |
| Connectors | about.labels.key/value |
| AuthDetails | about.labels.key/value |
| PhishConfidenceLevel | about.labels.key/value |
| Version | metadata.product_version |
SearchMtpStatus
다음 표에는 'SearchMtpStatus' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| Version | metadata.product_version |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
RemovedFromSiteCollection
다음 표에는 'RemovedFromSiteCollection' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| TargetUserOrGroupType | target.group.group_display_name
target.user.userid target.user.email_addresses |
| WebId | about.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ApplicationDisplayName | target.application |
CommentsDisabled
다음 표에는 'CommentsDisabled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| WebId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
FileRecycled
다음 표에는 'FileRecycled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
CommentsEnabled
다음 표에는 'CommentsEnabled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | if ObjectId field is not present in log then
target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| ApplicationDisplayName | target.application |
FolderRecycled
다음 표에는 'FolderRecycled' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
FileTranscriptRequested
다음 표에는 'FileTranscriptRequested' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
WACTokenShared
다음 표에는 'WACTokenShared' 작업과 'SharePoint/OneDrive' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| ListItemUniqueId | principal.asset_id |
| ListId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application |
| SiteUrl | network.http.referral_url |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceFileExtension | target.file.mime_type |
| UserSharedWith | target.labels.key/value |
| SharingType | target.labels.key/value |
| SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value. |
| WebId | about.labels.key/value |
라벨 업데이트
다음 표에는 '라벨 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
SiteLocksChanged
다음 표에는 'SiteLocksChanged' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteIBModeSet
다음 표에는 'SiteIBModeSet' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| ModifiedProperties | target.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteDesignInvoked
다음 표에는 'SiteDesignInvoked' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| EventData | target.resource.attribute.labels.key/value
SiteDesignId is mapped to target.resource.attribute.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteContentTypeCreated
다음 표에는 'SiteContentTypeCreated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| ListTitle | about.labels.key/value |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SiteCollectionQuotaModified
다음 표에는 'SiteCollectionQuotaModified' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
ShortcutAdded
다음 표에는 'ShortcutAdded' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url | |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| Site | target.labels.key/value |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceName | principal.labels.key/value |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
SPOIBIsEnabled
다음 표에는 'SPOIBIsEnabled' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
WebAccessRequestApproverModified
다음 표에는 'WebAccessRequestApproverModified' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ModifiedProperties | target.labels.key/value
if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
Set-TransportConfig
다음 표에는 'Set-TransportConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| AppId | target.labels.key/value |
| Parameters | principal.user.email_addresses
principal.user.userid If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid |
Set-TenantObjectVersion
다음 표에는 'Set-TenantObjectVersion' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value
If Name is DomainController then Value is mapped to target.administrative_domain else target.labels.key/value |
Set-RecipientEnforcementProvisioningPolicy
다음 표에는 'Set-RecipientEnforcementProvisioningPolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-PolicyConfig
다음 표에는 'Set-PolicyConfig' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to ACCESS_POLICY |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-OwaMailboxPolicy
다음 표에는 'Set-OwaMailboxPolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-MailboxPlan
다음 표에는 'Set-MailboxPlan' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-LabelProperties
다음 표에는 'Set-LabelProperties' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
Set-Label
다음 표에는 'Set-Label' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Set-ExchangeAssistanceConfig
다음 표에는 'Set-ExchangeAssistanceConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.url
target.labels.key/value If Name is PrivacyStatementURL then Value is mapped to target.url else target.labels.key/value |
Set-ConditionalAccessPolicy
다음 표에는 'Set-ConditionalAccessPolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
| SessionID | network.session_id |
New-ConditionalAccessPolicy
다음 표에는 'New-ConditionalAccessPolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.labels.key/value If Name is DisplayName then Value is mapped to target.resource.name else target.labels.key/value |
| SessionID | network.session_id |
RemovedSearchReport
다음 표에는 'RemovedSearchReport' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
Get-PrivacyManagementPolicy
다음 표에는 'Get-PrivacyManagementPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
Set-RetentionCompliancePolicy
다음 표에는 'Set-RetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| Parameters | target.process.command_line |
SearchTrialOffer
다음 표에는 'SearchTrialOffer' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchTIKustoClusterInformation
다음 표에는 'SearchTIKustoClusterInformation' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchMtpRoleInfo
다음 표에는 'SearchMtpRoleInfo' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchMailflowForwardingData
다음 표에는 'SearchMailflowForwardingData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchDataInsightsSubscription
다음 표에는 'SearchDataInsightsSubscription' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchCustomerInsight
다음 표에는 'SearchCustomerInsight' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchConnectorReportData
다음 표에는 'SearchConnectorReportData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertAggregate
다음 표에는 'SearchAlertAggregate' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlert
다음 표에는 'SearchAlert' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Enable-AddressListPaging
다음 표에는 'Enable-AddressListPaging' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Install-AdminAuditLogConfig
다음 표에는 'Install-AdminAuditLogConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
AccessedAggregates
다음 표에는 'AccessedAggregates' 작업과 'Mip' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| DataType | security_result.description |
| version | metadata.product_version |
AccessedSiteList
다음 표에는 'AccessedSiteList' 작업과 'Mip' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| DataType | security_result.description |
| version | metadata.product_version |
Install-DataClassificationConfig
다음 표에는 'Install-DataClassificationConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Set-UnifiedGroup
다음 표에는 'Set-UnifiedGroup' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. if ResultStatus is TRUE then security_result.action is set to ALLOW else security_result.action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | network.application_protocol
target.user.email_addresses target.group.email_addresses If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses. Protocol is mapped to network.application_protocol EmailAddresses is mapped to target.user.email_addresses ExternalEmailAddress is mapped to target.group.email_addresses |
| SessionId | network.session_id |
ApplicableAdaptivePolicyChange
다음 표에는 'ApplicableAdaptivePolicyChange' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | security_result.detection_fields.key/value.
target.resource.product_object_id if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value. if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id |
| ObjectType | security_result.summary |
Get-AppRetentionComplianceRule
다음 표에는 'Get-AppRetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{:target_resource_product_object_id}\ } } |
New-AppRetentionComplianceRule
다음 표에는 'New-AppRetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| ClientRequestId | principal.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name target.resource.product_object_id Extract Policy and Name using grok Name is mapped to target.resource.name Policy is mapped to target.resource.product_object_id |
| StartTime | target.resource.attribute.creation_time |
New-AppRetentionCompliancePolicy
다음 표에는 'New-AppRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| ClientRequestId | principal.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| StartTime | target.resource.attribute.creation_time |
Set-AppRetentionCompliancePolicy
다음 표에는 'Set-AppRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| StartTime | target.resource.attribute.creation_time |
Install-DefaultSharingPolicy
다음 표에는 'Install-DefaultSharingPolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
Install-ResourceConfig
다음 표에는 'Install-ResourceConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
New-Mailbox
다음 표에는 'New-Mailbox' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
Add-MailboxFolderPermission
다음 표에는 'Add-MailboxFolderPermission' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.user.user_display_name target.user.attribute.permissions.name target.labels.key/value If Name is Identity then Value is mapped to target.resource.name If Name is User then Value is mapped to target.user.user_display_name If Name is AccessRights then Value is mapped to target.user.attribute.permissions.name else target.labels.key/value |
New-LabelPolicy
다음 표에는 'New-LabelPolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
New-Label
다음 표에는 'New-Label' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name |
| StartTime | target.resource.attribute.creation_time |
| UserServicePlan | principal.labels.key/value |
Get-ActivityAlert
다음 표에는 'Get-ActivityAlert' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ProtectionAlert
다음 표에는 'Get-ProtectionAlert' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchComplianceCase
다음 표에는 'SearchComplianceCase' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Remove-ComplianceTag
다음 표에는 'Remove-ComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Remove-AppRetentionCompliancePolicy
다음 표에는 'Remove-AppRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Remove-RetentionCompliancePolicy
다음 표에는 'Remove-RetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource_resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-ComplianceTag
다음 표에는 'New-ComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Enable-ComplianceTagStorage
다음 표에는 'Enable-ComplianceTagStorage' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ComplianceRetentionEventType
다음 표에는 'Get-ComplianceRetentionEventType' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AggregateActivityData
다음 표에는 'AggregateActivityData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Set-ComplianceTag
다음 표에는 'Set-ComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-FilePlanPropertyStructure
다음 표에는 'Get-FilePlanPropertyStructure' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-ComplianceRetentionEventType
다음 표에는 'New-ComplianceRetentionEventType' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is mapped to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line
target.resource.name target_resource_name is mapped to target.resource.name |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-DlpSensitiveInformationTypeRulePackage
다음 표에는 'Get-DlpSensitiveInformationTypeRulePackage' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ComplianceRetentionEvent
다음 표에는 'Get-ComplianceRetentionEvent' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ComplianceSecurityFilter
다음 표에는 'ComplianceSecurityFilter' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-QuarantineMessage
다음 표에는 'Get-QuarantineMessage' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AggregateThreatProfileDetails
다음 표에는 'AggregateThreatProfileDetails' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-DlpDetectionsReport
다음 표에는 'Get-DlpDetectionsReport' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| ClientApplication | principal.application |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| Parameters | target.process.command_line |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-AppRetentionCompliancePolicy
다음 표에는 'Get-AppRetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Add-RoleGroupMember
다음 표에는 'Add-RoleGroupMember' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
Update-RoleGroupMember
다음 표에는 'Update-RoleGroupMember' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| SessionId | network.session_id |
New-RoleGroup
다음 표에는 'New-RoleGroup' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| SessionId | network.session_id |
| ClientAppId | target.labels.key/value |
Provision-ComplianceMailboxFolder
다음 표에는 'Provision-ComplianceMailboxFolder' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.product_object_id
target.labels.key/value need to discuss mapping of MultiStageReviewFolderSetting in parameter fields If Name is FolderName then Value is mapped to target.resource_product_object_id else target.labels.key/value |
Remove-Mailbox
다음 표에는 'Remove-Mailbox' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.name
target.labels.key/value If Name is Identity then Value is mapped to target.resource.name else target.labels.key/value |
New-QuarantinePolicy
다음 표에는 'New-QuarantinePolicy' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| ClientVersion | metadata.product_version |
| version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.resource.name
target.labels.key/value If Name is Name then Value is mapped to target.resource.name All other parameters will map with target.labels.key/value |
| SessionId | network.session_id |
Get-RoleGroup
다음 표에는 'Get-RoleGroup' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True { Action is set to ALLOW } else { Action is set to BLOCK } |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses else target.group.attribute.labels.key/value |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchLabelAnalyticsActivityData
다음 표에는 'SearchLabelAnalyticsActivityData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-DlpCompliancePolicy
다음 표에는 'Get-DlpCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| UserServicePlan | principal.labels.key/value |
SearchSecurityRedirection
다음 표에는 'SearchSecurityRedirection' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-ComplianceCaseMember
다음 표에는 'Get-ComplianceCaseMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
HoldViewed
다음 표에는 'HoldViewed' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.category_details |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is HoldId then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
Get-eDiscoveryCaseAdmin
다음 표에는 'Get-eDiscoveryCaseAdmin' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RoleGroupMember
다음 표에는 'Get-RoleGroupMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ManagementRole
다음 표에는 'Get-ManagementRole' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Set-RoleGroup
다음 표에는 'Set-RoleGroup' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.group.group_display_name
target.process.command_line Extract DisplayName using grok Name is mapped totarget.group.group_display_name |
| Version | metadata.product_version |
| ResultCountSecurityComplianceCenterEventType | about.labels.key/value |
Get-SecurityPrincipal
다음 표에는 'Get-SecurityPrincipal' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-CaseHoldRule
다음 표에는 'Get-CaseHoldRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
ViewedSearchReport
다음 표에는 'ViewedSearchReport' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| Case | metadata.description |
| ExchangeLocations | security_result.summary |
| ExtendedProperties | target.resource.product_object_id
about.labels.key/value If Name is CaseId then ID is mapped to target.resource.product_object_id If Name is SearchIds then ID is mapped to about.labels.key/value |
| ObjectType | security_result.summary |
| PublicFolderLocations | security_result.category_details |
| Query | security_result.description |
| SharepointLocations | security_result.category_details |
Get-AdaptiveScope
다음 표에는 'Get-AdaptiveScope' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RetentionCompliancePolicy
다음 표에는 'Get-RetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-RetentionCompliancePolicy
다음 표에는 'New-RetentionCompliancePolicy' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to ACCESS_POLICY |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-RetentionComplianceRule
다음 표에는 'New-RetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-ComplianceTag
다음 표에는 'Get-ComplianceTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Set-RetentionComplianceRule
다음 표에는 'Set-RetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RegulatoryComplianceUI
다음 표에는 'Get-RegulationComplianceUI' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-RetentionComplianceRule
다음 표에는 'Get-RetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line
target.resource.product_object_id Extract Policy using grok grok { match is mapped to { Parameters .*-Policy \{target_resource_product_object_id}\ } } |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
New-AdaptiveScope
다음 표에는 'New-AdaptiveScope' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.resource.name
target.process.command_line Extract Name using grok Name is mapped to target.resource.name |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Enable-AdaptiveScopeStorage
다음 표에는 'Enable-AdaptiveScopeStorage' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
SearchCustomTag
다음 표에는 'SearchCustomTag' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | about.labels.key/value |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Set-RegulatoryComplianceUI
다음 표에는 'Set-Regulation ComplianceUI' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | target.process.command_line |
| Version | metadata.product_version |
RemoveRetentionComplianceRule
다음 표에는 'RemoveRetentionComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | If Name is CmdletOptions then store value of Value in process_args variable.
If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} The name and value for the parameters that were used with the corresponding cmdlet. |
| Version | metadata.product_version |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
| ObjectType | security_result.summary |
NewAdaptiveScope
다음 표에는 'NewAdaptiveScope' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Parameters | principal.process.command_line
The name and value for the parameters that were used with the corresponding cmdlet. If Name is CmdletOptions then store value of Value in process_args variable. If Name is Cmdlet then store value of Value in process_value variable. then map principal.process.command_line is {process_value} {process_args} |
| Version | metadata.product_version |
| ObjectType | security_result.summary |
| ExtendedProperties | target.user.user_display_name
target.resource.name security_result.description target.resource.attribute.labels.key/value If Name is CreatedBy then Value is mapped to target.user.user_display_name If Name is PolicyName then Value is mapped to target.resource.name If Name is Description then Value is security_result.description If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value |
CommentCreated
다음 표에는 'CommentCreated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| WebId | about.labels.key/value |
| SourceFileExtension | target.file.mime_type |
| SiteUrl | network.http.referral_url |
| SourceFileName | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| SourceRelativeUrl | target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
| CommentId | about.labels.key/value |
DeviceAccessPolicyChanged
다음 표에는 'DeviceAccessPolicyChanged' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | metadata.product_version |
| CorrelationId | security_result.detection_fields.key/value. |
| ModifiedProperties | target.labels.key/value |
하트비트
다음 표에는 'HeartBeat' 작업과 'Aip' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| Version | metadata.product_version |
MessageCreation
다음 표에는 'MessageCreation' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
| MessageID | target.resource.product_object_id |
ThreadViewed
다음 표에는 'ThreadViewed' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
| ThreadID | about.labels.key/value |
StreamEditAdminGlobalRoleMembers
다음 표에는 'StreamEditAdminGlobalRoleMembers' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION
if ResultStatus is SUCCEEDED then action is set to ALLOW else action is set to BLOCK |
|
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeGetTextTrack
다음 표에는 'StreamInvokeGetTextTrack' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeChannelView
다음 표에는 'StreamInvokeChannelView' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeVideoMakePublic
다음 표에는 'StreamInvokeVideoMakePublic' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
StreamInvokeGroupView
다음 표에는 'StreamInvokeGroupView' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
Set-CsOnlineDirectoryTenant
다음 표에는 'Set-CsOnlineDirectoryTenant' 작업과 'SkypeForBusiness' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
Set-CsHostedVoicemailPolicy
다음 표에는 'Set-CsHostedVoicemailPolicy' 작업과 'SkypeForBusiness' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.administrative_domain
target.url target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain If Name is Destination then Value is mapped to target.url else target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
Get-CSSimpleUrlConfiguration
다음 표에는 'Get-CSSimpleUrlConfiguration' 작업과 'SkypeForBusiness' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| CmdletVersion | metadata.product_version |
| Parameters | target.administrative_domain
target.labels.key/value If Name is Organization then Value is mapped to target.administrative_domain else target.labels.key/value |
| SkypeForBusinessEventType | about.labels.key/value |
| TenantName | target.resource.product_object_id |
| Version | metadata.product_version |
New-ExchangeAssistanceConfig
다음 표에는 'New-ExchangeAssistanceConfig' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
New-App
다음 표에는 'New-App' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.labels.key/value |
| SessionId | network.session_id |
PublishToWebReport
다음 표에는 'PublishToWebReport' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| ReportName | target.resource.name |
| WorkspaceId | target.resource.attribute.labels.key/value |
| DatasetId | target.resource.attribute.labels.key/value |
| ReportId | target.resource.product_object_id |
| ReportType | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| DistributionMethod | about.labels.key/value |
UpdateGateway
다음 표에는 'UpdateGateway' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| SwitchState | about.labels.key/value |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
| RequestId | about.labels.key/value |
| GatewayId | target.resource.product_object_id |
ShareDataset
다음 표에는 'ShareDataset' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| WorkspaceId | target.resource.attribute.labels.key/value |
| ArtifactId | target.resource.product_object_id |
| ArtifactName | target.resource.name |
| RequestId | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| SharingAction | about.labels.key/value |
GetRefreshablesAsAdmin
다음 표에는 'GetRefreshablesAsAdmin' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| RequestId | about.labels.key/value |
| UserAgent | network.http.user_agent |
| ActivityId | principal.labels.key/value |
CreateTagJob
다음 표에는 'CreateTagJob' 작업과 'Compliance' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| CaseID | target.resource.product_object_id |
| CaseName | target.resource.name |
| EndTime | target.resource.attribute.last_update_time |
| ExtendedProperties | target.resource.attribute.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
위임된 권한 부여 추가
다음 표에는 Add delegated permission grant 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | target.resource.product_object_id
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If |
| TargetContextId | target.labels.key/value
|
서비스 주 구성원에 앱 역할 할당 추가
다음 표에는 '서비스 주 구성원에 앱 역할 할당 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summary If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
애플리케이션 업데이트
다음 표에는 '애플리케이션으로 업데이트' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
애플리케이션 업데이트 – 인증서 및 보안 비밀 관리
다음 표에는 Update application – Certificates and secrets management 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
if |
|
| Version | metadata.product_version
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
|
| TargetContextId | target.labels.key/value
|
애플리케이션에 소유자 추가
다음 표에는 '애플리케이션에 소유자 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Application.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.labels.key/value |
| TargetContextId | target.labels.key/value |
애플리케이션에 추가
다음 표에는 '애플리케이션에 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
기기 구성 추가
다음 표에는 '기기 구성 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
확인되지 않은 도메인 추가
다음 표에는 '확인되지 않은 도메인 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is Name then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
정책 추가
다음 표에는 '정책 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Version | metadata.product_version |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.name
security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | security_result.detection_fields.key/value |
| TargetContextId | target.labels.key/value |
CreateResponse
다음 표에는 'CreateResponse' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
EditForm
다음 표에는 'EditForm' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
SubmitResponse
다음 표에는 'SubmitResponse' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ViewResponses
다음 표에는 'ViewResponses' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ViewRuntimeForm
다음 표에는 'ViewRuntimeForm' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 이에 대한 UDM 매핑이 나열되어 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
DeleteFlow
다음 표에는 'DeleteFlow' 작업과 'MicrosoftForms' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION | |
| FormsUserTypes | target.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
ListViewed
다음 표에는 'ListViewed' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| ItemCount | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| TemplateTypeId | about.labels.key/value |
ListColumnUpdated
다음 표에는 'ListColumnUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListContentTypeUpdated
다음 표에는 'ListContentTypeUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListItemDeleted
다음 표에는 'ListItemDeleted' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListUpdated
다음 표에는 'ListUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ApplicationDisplayName | target.application |
| ItemCount | target.labels.key/value |
ListItemCreated
다음 표에는 'ListItemCreated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ItemCount | target.labels.key/value |
ListColumnCreated
다음 표에는 'ListColumnCreated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| TemplateTypeId | about.labels.key/value |
| ItemCount | target.labels.key/value |
SiteContentTypeUpdated
다음 표에는 'SiteContentTypeUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
ListItemViewed
다음 표에는 'ListItemViewed' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| ItemCount | target.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListItemUniqueId | principal.asset_id |
ListItemUpdated
다음 표에는 'ListItemUpdated' 작업과 'SharePoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
| Site | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| EventSource | principal.application |
| SourceName | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| MachineDomainInfo | target.asset.attribute.labels.key/value |
| MachineId | target.asset.product_object_id |
| Version | medata.product_version |
| CorrelationId | security_result.detection_fields.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| WebId | about.labels.key/value |
| target.file.size | target.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListItemUniqueId | principal.asset_id |
FileRenamed
다음 표에는 'FileRenamed' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_MOVE | |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileType | target.resource.attribute.labels.key/value |
| PreviousFileName | src.file.full_path |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
UpdatePowerApp
다음 표에는 'UpdatePowerApp' 작업과 'PowerApps' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| AppName | target.labels.key/value |
| Id | metadata.product_log_id |
SubscribedToMessages
다음 표에는 'SubscribedToMessages' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| ExtraProperties | additional.fields.key/value.string_value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageCreatedNotification
다음 표에는 'MessageCreatedNotification' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| MessageVersion | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageUpdatedNotification
다음 표에는 'MessageUpdatedNotification' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| MessageVersion | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessageCreatedHasLink
다음 표에는 'MessageCreatedHasLink' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MessagesListed
다음 표에는 'MessagesListed' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| ChannelGuid | target.resource.product_object_id |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| OperationScope | about.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
PerformedCardAction
다음 표에는 'PerformedCardAction' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| AddOnGuid | target.labels.key/value |
| AddOnName | target.labels.key/value |
| AddOnType | target.labels.key/value |
| ChannelGuid | target.resource.product_object_id |
| ChannelName | target.resource.name |
| ChannelType | target.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| CommunicationType | about.labels.key/value |
| TeamGuid | target.user.group_identifiers and target.group.product_object_id |
| TeamName | target.group.group_display_name |
| Version | metadata.product_version |
MessageEditedHasLink
다음 표에는 'MessageEditedHasLink' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| MessageId | target.resource.product_object_id |
| MessageURLs | target.resource.attribute.labels.key/value |
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| SubscriptionId | target.resource.attribute.labels.key/value |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| OperationScope | about.labels.key/value |
| Version | metadata.product_version |
MeetingParticipantDetail
다음 표에는 'MeetingParticipantDetail' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Attendees | about.resource.product_object_id
about.user.product_object_id about.user.attribute.roles.name OrganizationId is mapped to about.resource.product_object_id Role is mapped to about.user.attribute.roles.name UserObjectId is set to about.user.product_object_id |
| ExtraProperties | additional.fields.key/value.string_value |
| JoinTime | target.resource.attribute.creation_time |
| LeaveTime | target.resource.attribute.last_update_time |
| MeetingDetailId | target.resource.product_object_id |
| Version | metadata.product_version |
MeetingDetail
다음 표에는 'MeetingDetail' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| StartTime | target.resource.attribute.creation_time |
| EndTime | target.resource.attribute.last_update_time |
| ExtraProperties | additional.fields.key/value.string_value |
| MeetingURL | target.url |
| MessageId | target.resource.product_object_id |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| Modalities | security_result.summary |
| Organizer | principal.user.product_object_id |
| Version | metadata.product_version |
MessageUpdated
다음 표에는 'MessageUpdated' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| ExtraProperties | additional.fields.key/value.string_value |
| MessageVersion | target.resource.attribute.labels.key/value |
| MessageId | target.resource.product_object_id |
| ChatThreadId | target.user.group_identifiers
target.group.product_object_id |
| CommunicationType | about.labels.key/value |
| Version | metadata.product_version |
AggregateTransportQueueData
다음 표에는 'AggregateTransportQueueData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeCustomerInsight
다음 표에는 'AuthorizeCustomerInsight' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeConnectorReportData
다음 표에는 'AuthorizeConnectorReportData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertOverride
다음 표에는 'SearchAlertOverride' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AuthorizeMailflowForwardingData
다음 표에는 'AuthorizeMailflowForwardingData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchDomainTrafficStatus
다음 표에는 'SearchDomainTrafficStatus' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertActivity
다음 표에는 'SearchAlertActivity' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateMailmetadata
다음 표에는 'AggregateMailmetadata' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
InsightGenerated
다음 표에는 'InsightGenerated' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| Category | security_result.category_details |
| Description | security_result.description |
| InsightId | target.resource.product_object_id |
| Name | target.resource.name |
| Version | metadata.product_version |
UserSubmission
다음 표에는 'UserSubmission' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is MAIL_SPAM |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| ClientApplication | principal.application |
| KesMailId | network.email.mail_id |
| ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
| P1SenderDomain | principal.administrative_domain |
| Recipients | network.email.to |
| SenderIP | principal.ip |
| Subject | network.email.subject |
| P2Sender | network.email.from |
| SubmissionState | security_result.summary |
| P1Sender | principal.user.email_addresses |
| Version | metadata.product_version |
SaveRoleGroupMember
다음 표에는 'SaveRoleGroupMember' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateCampaignIntelligenceData
다음 표에는 'AggregateCampaignIntelligenceData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchEmailTimelineEvents
다음 표에는 'SearchEmailTimelineEvents' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
SearchAlertStory
다음 표에는 'SearchAlertStory' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
AggregateThreatDetailsBulk
다음 표에는 'AggregateThreatDetailsBulk' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
Get-User
다음 표에는 'Get-User' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
Get-DlpComplianceRule
다음 표에는 'Get-DlpComplianceRule' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
AnalyzedByExternalApplication
다음 표에는 'AnalyzedByExternalApplication' 작업과 'Power BI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to RESOURCE_READ | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.name |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.attribute.labels.key/value |
| SwitchState | about.labels.key/value |
| ActivityId | principal.labels.key/value |
| UserAgent | network.http.user_agent |
| RequestId | about.labels.key/value |
New-MigrationBatch
다음 표에는 'New-MigrationBatch' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.resource.name
target.administrative_domain target.resource.attribute.key/value If Name is Name then Value is mapped to target.resource.name if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain If Name is AutoStart then Value is mapped to target.resource.attribute.key/value If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value |
| SessionId | network.session_id |
UserSubmissionTriage
다음 표에는 'UserSubmissionTriage' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SCAN_UNCATEGORIZED
security_result.category is set to MAIL_SPAM |
|
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | about.labels.key/value |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| ExtendedProperties | security_result.rule_name
security_result.rule_id security_result.category_details SubmissionSource is mapped to security_result.rule_name SubmissionId is mapped to security_result.rule_id SubmissionCategory is mapped to security_result.category_details |
| GradingResult | security_result.category_details |
| KesMailId | network.email.mail_id |
| P1Sender | principal.user.email_addresses |
| P1SenderDomain | principal.administrative_domain |
| P2Sender | network.email.from |
| Recipients | network.email.to |
| SenderIP | principal.ip |
| Subject | network.email.subject |
| SubmissionState | security_result.summary |
FileArchived
다음 표에는 'FileArchived' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileCreatedOnNetworkShare
다음 표에는 'FileCreatedOnNetworkShare' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATION | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileCreatedOnRemovableMedia
다음 표에는 'FileCreatedOnRemoveableMedia' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_CREATION | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
SlimFilePrinted
다음 표에는 'SlimFilePrinted' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
| Application | target.application |
| DeviceName | target.hostname |
| FileType | target.resource.attribute.labels.key/value |
| TargetPrinterName | target.asset.hostname |
| Version | metadata.product_version |
FilePrinted
다음 표에는 'FilePrinted' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
target.asset.type is PRINTER |
|
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetPrinterName | target.asset.hostname |
| Version | metadata.product_version |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| PreviousFileName | src.file.full_path |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
ArchiveCreated
다음 표에는 'ArchiveCreated' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
FileDownloadedFromBrowser
다음 표에는 'FileDownloadedFromBrowser' 작업과 'Endpoint' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
| Application | target.application |
| DestinationLocationType | target.labels.key/value |
| DeviceName | target.hostname |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
| TargetFilePath | target.file.full_path |
| Version | metadata.product_version |
사용자의 애플리케이션 비밀번호 만들기
다음 표에는 '사용자 애플리케이션 비밀번호 만들기' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
SearchNdrDetailData
다음 표에는 'SearchNdrDetailData' 작업과 'SecurityComplianceCenter' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GENERIC_EVENT | |
| StartTime | target.resource.attribute.creation_time |
| ClientRequestId | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| UserServicePlan | principal.labels.key/value |
| Parameters | target.process.command_line
target.resource.product_object_id |
| ClientApplication | principal.application |
| Version | metadata.product_version |
| SecurityComplianceCenterEventType | about.labels.key/value |
| AadAppId | target.labels.key/value |
| DatabaseType | target.resource.attribute.labels.key/value |
| DataType | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
MessageUpdated
다음 표에는 'MessageUpdated' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
If ResultStatus is TRUE then action is ALLOW else action is BLOCK |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
액세스
다음 표에는 '액세스' 작업과 'Aip' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| DataState | security_result.summary |
| Version | metadata.product_version |
둘러보기
다음 표에는 '둘러보기' 작업과 'Aip' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is set to target.file.full_path |
|
| Common | target.resource.product_object_id
target.resource.name target.process.command_line target.hostname metadata.product_version ApplicationId is mapped to target.resource.product_object_id ApplicationName is mapped to target.resource.name ProcessName is mapped to target.process.command_line DeviceName is mapped to target.hostname ProductVersion is mapped to metadata.product_version |
| DataState | security_result.summary |
| Version | metadata.product_version |
TIUrlClickData
다음 표에는 'TIUrlClickData' 작업과 'ThreatIntelligence' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| AppName | target.application |
| AppVersion | metadata.product_version |
| EventDeepLink | metadata.url_back_to_product |
| SourceId | AppName is Mail then SourceId is mapped to network.email.id |
| Url | target.url |
| UserIp | principal.ip |
| Version | metadata.product_version |
기기가 더 이상 관리되지 않음
다음 표에는 '기기가 더 이상 관리되지 않음' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is set to DEVICE |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.asset.product_object_id
target.platform If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
AirInvestigationData
다음 표에는 'AirInvestigationData' 작업과 'AirInvestigation' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| LastUpdateTimeUtc | target.resource.attribute.last_update_time |
| Status | security_result.summary |
| InvestigationId | target.resource.product_object_id |
| InvestigationType | target.resource.attribute.labels.key/value |
| Data | security_result.description
security_result.category_details network.email.to network.email.from network.email.mail_id network.email.subject network.direction principal.ip principal.administrative_domain principal.user.email_addresses Data.Description is mapped to security_result.description Data.Category is mapped to security_result.category_details Data.Entities.1.Recipient is mapped to network.email.to Data.Entities.1.Sender is mapped to network.email.from Data.Entities.1.InternetMessageId is mapped to network.email.mail_id Data.Entities.1.Subject is mapped to network.email.subject Data.Entities.1.AntispamDirection is mapped to network.direction Data.Entities.1.SenderIP is mapped to principal.ip Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain Data.Entities.1.P1Sender is mapped to principal.user.email_addresses |
| InvestigationName | target.resource.name |
| StartTimeUtc | target.resource.attribute.creation_time |
| Version | metadata.product_versionn |
| DeepLinkUrl | metadata.url_back_to_product |
Set-MailboxJunkEmailConfiguration
다음 표에는 'Set-MailboxJunkEmailConfiguration' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| OriginatingServer | principal.hostname |
| OrganizationName | target.administrative_domain |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| Parameters | target.user.email_addresses
If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated) |
| SessionId | network.session_id |
| Version | metadata.product_version |
New-DistributionGroup
다음 표에는 'New-DistributionGroup' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_CREATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name security_result.description target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name If Name is Member then Value is mapped to security_result.description else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
Add-DistributionGroupMember
다음 표에는 'Add-DistributionGroupMember' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is set to target.group.group_display_name security_result.summary is set to Group Members definition If ResultStatus is True then Action is set to ALLOW else Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.group.product_object_id or target.group.email_addresses
target.user.product_object_id or target.user.email_addresses or target.user.user_display_name target.group.attribute.labels.key/value If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid else target.group.attribute.labels.key/value |
| SessionId | network.session_id |
Remove-InboxRule
다음 표에는 'Remove-InboxRule' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_DELETION
target.resource.resource_type is set to SETTING ObjectId is set to target.group.product_object_id |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | security_result.rule_labels.key/value |
| SessionId | network.session_id |
Enable-Mailbox
다음 표에는 'Enable-Mailbox' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_CREATION | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value |
| SessionId | network.session_id |
가져오기
다음 표에는 '가져오기' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to FILE_UNCATEGORIZED | |
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | target.user.email_addresses
target.user.attribute.permission.name We map this field based on value of UpdateApp Operation value. recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | about.user.email_addresses
about.user.user_display_name about.user.product_object_id about.user.attribute.permissions.name RecipientEmail is mapped to about.user.email_addresses RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| SwitchState | about.labels.key/value |
| ImportSource | about.labels.key/value |
| ImportType | target.file.mime_type |
| ImportDisplayName | target.file.full_path |
기기가 더 이상 규정을 준수하지 않음
다음 표에는 '기기가 더 이상 규정을 준수하지 않음' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to DEVICE |
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.platform
target.resource.product_object_id If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
계정 사용 설정
다음 표에는 Enable account 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
| ExtendedProperties | network.http.user_agent
If
if else
|
| ModifiedProperties | security_result.summary
If
If
If
If |
| Actor | security_result.detection_fields.key/value
|
| ActorContextId | principal.labels.key/value
|
| ActorIpAddress | principal.ip and principal.port
|
| InterSystemsId | target.resource.attribute.labels.key/value
|
| IntraSystemId | target.resource.attribute.labels.key/value
|
| SupportTicketId | about.labels.key/value
|
| Target | target.user.userid or target.user.email_addresses
If else
|
| version | metadata.product_version
|
| TargetContextId | target.labels.key/value
|
서비스 주 구성원 사용자 인증 정보 추가
다음 표에는 '서비스 주 구성원 사용자 인증 정보 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Set-SyncUser
다음 표에는 'Set-SyncUser' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
| SessionId | network.session_id |
MessageSent
다음 표에는 'MessageSent' 작업과 'MicrosoftTeams' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE
If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
| MessageSizeInBytes | target.resource.attribute.labels.key/value |
| ChannelGuid | target.labels.key/value |
| OperationScope | about.labels.key/value |
| TeamGuid | target.user.group_identifiers
target.group.product_object_id |
| TeamName | target.group.group_display_name |
| AADGroupId | target.labels.key/value |
| CommunicationType | about.labels.key/value |
| MessageId | target.resource.product_object_id |
| Version | metadata.product_version |
| MessageVersion | target.resource.attribute.labels.key/value |
서비스 주 구성원 사용자 인증 정보 삭제
다음 표에는 '서비스 주 구성원 사용자 인증 정보 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Remove-MoveRequest
다음 표에는 'Remove-MoveRequest' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | target.user.product_object_id or target.user.email_addresses or target.user.user_display_name
target.resource.attribute.labels.key/value If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value |
StreamInvokeGetTranscript
다음 표에는 'StreamInvokeGetTranscript' 작업과 'MicrosoftStream' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_COMMUNICATION | |
| ClientApplicationId | principal.labels.key/value |
| EntityPath | metadata.url.back_to_product |
| OperationDetails | metadata.description |
| ResourceTitle | target.resource.name |
| ResourceUrl | target.url |
| Version | metadata.product_version |
그룹에서 소유자 삭제
다음 표에는 '그룹에서 소유자 삭제' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_MODIFICATION | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
그룹에 앱 역할 할당 추가
다음 표에는 '그룹에 앱 역할 할당 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | target.resource.product_object_id
target.resource.name target.group.group_display_name If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
Disable-MailUser
다음 표에는 'Disable-MailUser' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_UNCATEGORIZED
ResultStatus is True Action is set to BLOCK |
|
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid |
New-FolderMoveRequest
다음 표에는 'New-FolderMoveRequest' 작업과 'Exchange' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to STATUS_UPDATE | |
| Version | metadata.product_version |
| AppId | target.labels.key/value |
| ClientAppId | target.labels.key/value |
| OrganizationName | target.administrative_domain |
| OriginatingServer | principal.hostname |
| Parameters | If Name is Name then Value is mapped to target.resource.name
If Name is DomainController then Value is mapped to target.administrative_domain If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value |
정책에 소유자 추가
다음 표에는 '정책에 소유자 추가' 작업과 'AzureActiveDirectory' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| ExtendedProperties | If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent
if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
| ModifiedProperties | If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id
If Name is Policy.DisplayName then NewValue is mapped to target.resource.name |
| Actor | security_result.detection_fields.key/value |
| ActorContextId | principal.labels.key/value |
| ActorIpAddress | principal.ip and principal.port |
| InterSystemsId | target.resource.attribute.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| SupportTicketId | about.labels.key/value |
| Target | target.user.userid or target.user.email_addresses
If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
| version | metadata.product_version |
| TargetContextId | target.labels.key/value |
EditContentProviderProperties
다음 표에는 'EditContentProviderProperties' 작업과 'PowerBI' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING |
|
| AppName | target.labels.key/value |
| DashboardName | target.resource.attribute.labels.key/value |
| DataClassification | target.labels.key/value |
| DatasetName | target.resource.attribute.labels.key/value |
| OrgAppPermission | We map this field based on value of UpdateApp Operation value.
recipients is mapped to target.user.email_addresses permissions is mapped to target.user.attribute.permissions.name |
| ReportName | target.resource.attribute.labels.key/value |
| SharingInformation | RecipientEmail is mapped to about.user.email_addresses
RecipientName is mapped to about.user.user_display_name ObjectId is set to about.user.product_object_id ResharePermission is mapped to about.user.attribute.permissions.name |
| WorkSpaceName | target.resource.name |
| WorkspaceId | target.resource.product_object_id |
| SwitchState | about.labels.key/value |
| ContentProviderCertificationStage | security_result.summary |
| AppId | target.labels.key/value |
| RequestId | about.labels.key/value |
ReportingAccessed
다음 표에는 'ReportingAccessed' 작업과 'Project' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| Version | metadata.product_version |
| Action | security_result.description |
| OnBehalfOfResId | about.labels.key/value |
GroupAccessFailure
다음 표에는 'GroupAccessFailure' 작업과 'Yammer' 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
| metadata.event_type is mapped to GROUP_UNCATEGORIZED | |
| ActorUserId | principal.user.email_addresses
principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| DataExportType | target.resource.attribute.labels.key/value |
| FileId | target.resource.product_object_id |
| FileName | target.file.full_path |
| GroupName | target.group.group_display_name |
| IsSoftDelete | security_result.description is set to IsSoftDelete - {IsSoftDelete} |
| MessageId | target.resource.product_object_id |
| YammerNetworkId | principal.labels.key/value |
| TargetUserId | target.user.email_addresses |
| TargetYammerUserId | target.labels.key/value |
| VersionId | about.labels.key/value |
| Version | metadata.product_version |
FileSensitivityLabelChanged
다음 표에는 FileSensitivityLabelChanged 작업과 SharePoint/OneDrive 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
|
|
| AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
| CorrelationId | security_result.detection_fields.key/value |
| DestinationFileExtension | target.file.mime_type |
| DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
| DestinationLabel | target.labels |
| EventSource | principal.application |
| HighPriorityMediaProcessing | about.labels |
| IsManagedDevice | about.labels |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListServerTemplate | security_result.detection_fields.key/value |
| SensitivityLabelEventData.ActionSource | principal.labels.key/value |
| SensitivityLabelEventData.LabelEventType | target.labels.key/value |
| SensitivityLabelEventData.OldSensitivityLabelId | target.resource.product_object_id |
| SensitivityLabelEventData.OldSensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | src.file.mime_type |
| SourceFileName | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
| SourceRelativeUrl | src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName} |
| SourceLabel | src.labels.key/value |
| UserAgent | network.http.user_agent |
| UserKey | target.labels |
| Version | metadata.product_version |
| WebId | about.labels.key/value |
FileRead
다음 표에는 FileRead 작업과 Endpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_READ
|
|
| Application | principal.application |
| DeviceName | target.hostname |
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
| EnforcementMode | target.labels |
| FileExtension | target.file.mime_type |
| FileSize | target.file.size |
| FileType | target.resource.attribute.labels.key/value |
| Hidden | security_result.detection_fields.key/value |
| JitTriggered | security_result.detection_fields.key/value |
| MDATPDeviceId | security_result.detection_fields.key/value |
| PolicyMatchInfo | target.resource.product_object_id
|
| RMSEncrypted | security_result.detection_fields.key/value |
| SensitiveInfoTypeData | security_result.detection_fields.key/value
|
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| Sha1 | target.file.sha1 |
| Sha256 | target.file.sha256 |
| SourceLocationType | principal.labels.key/value |
MessageReadReceiptReceived
다음 표에는 MessageReadReceiptReceived 작업과 MicrosoftTeams 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE |
|
| ChatThreadId | target.user.group_identifiers
|
| CommunicationType | about.labels.key/value |
| MessageId | target.resource.product_object_id |
| MessageVersion | target.resource.attribute.labels.key/value |
| MessageVisibilityTime | target.resource.attribute.labels.key/value |
| ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value |
| ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value |
| ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value |
검색
다음 표에는 Search 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZED |
|
| AadAppId | target.labels.key/value |
| RelativeUrl | target.url |
| ResultCount | target.labels.key/value |
| Version | metadata.product_version |
| DataType | security_result.description |
TaskDeleted
다음 표에는 TaskDeleted 작업과 MicrosoftTodo 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_DELETION
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
TaskUpdated
다음 표에는 TaskUpdated 작업과 MicrosoftTodo 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
TaskCreation
다음 표에는 TaskCreation 작업과 MicrosoftTodo 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_CREATION
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
SecurityGroupModified
다음 표에는 SecurityGroupModified 작업과 Project 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GROUP_MODIFICATION |
|
| CorrelationId | security_result.detection_fields.key/value |
| Entity | metadata.product_name |
| EventSource | principal.application |
| ItemType | target.resource.attribute.labels.key/value |
| UserAgent | network.http.user_agent |
| UserKey | target.labels |
| Version | metadata.product_version |
| AppAccessContext.UniqueTokenId | target.labels |
| AppAccessContext.CorrelationId | security_result.detection_fields.key/value |
LaunchPowerApp
다음 표에는 LaunchPowerApp 작업과 PowerApps 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GENERIC_EVENT |
|
| AppName | target.labels.key/value
|
| Version | metadata.product_version |
DeleteDatasetRows
다음 표에는 DeleteDatasetRows 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION.
If
else |
|
| UserAgent | network.http.user_agent
|
| WorkSpaceName | target.resource.attribute.labels.key/value
|
| DatasetName | target.resource.attribute.labels.key/value
|
| WorkspaceId | target.resource.attribute.labels.key/value
|
| DatasetId | target.resource.product_object_id
|
| DataConnectivityMode | target.resource.attribute.labels.key/value
|
| ArtifactId | target.resource.attribute.labels.key/value
|
| RequestId | about.labels.key/value
|
| ActivityId | principal.labels.key/value
|
| TableName | target.resource.attribute.labels.key/value
|
| LastRefreshTime | about.labels.key/value
|
| ArtifactKind | target.resource.attribute.labels.key/value
|
New-DlpCompliancePolicy
다음 표에는 New-DlpCompliancePolicy 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
New-DlpComplianceRule
다음 표에는 New-DlpComplianceRule 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
Get-InsiderRiskPolicy
다음 표에는 Get-InsiderRiskPolicy 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| ClientApplication | principal.labels.key/value
|
| CmdletVersion | metadata.product_version
|
| EffectiveOrganization | target.administrative_domain
|
| ObjectId | target.resource.product_object_id
|
| Parameters | target.process.command_line
|
| SecurityComplianceCenterEventType | about.labels.key/value
|
| StartTime | target.resource.attribute.creation_time
|
| UserKey | target.labels
|
| UserServicePlan | principal.labels.key/value
|
| Version | metadata.product_version
|
Set-HostedContentFilterPolicy
다음 표에는 Set-HostedContentFilterPolicy 작업과 Exchange 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
If
else |
|
| ExternalAccess | about.labels.key/value
|
| ObjectId | target.resource.product_object_id
|
| Version | metadata.product_version
|
| Parameters | target.resource.attribute.labels.key/value
|
| UserKey | target.labels.key/value
|
강력한 인증 사용 설정
다음 표에는 Enable Strong Authentication. 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
|
|
| ExtendedProperties | If Name is equal to additionalDetails then User-Agent is mapped with network.http.user_agent
else if else |
| ModifiedProperties | If Name is equal to Included Updated Properties then NewValue is mapped with security_result.summary
else |
ReactedToMessage
다음 표에는 ReactedToMessage 작업과 MicrosoftTeams 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.IssuedAtTime | target.labels.key/value
|
| AppAccessContext.UniqueTokenId | target.labels.key/value
|
| ChatThreadId | target.user.group_identifiers
|
| ChatThreadId | target.group.product_object_id
|
| MessageReactionType | target.resource.attribute.labels.key/value
|
| ChatName | target.group.group_display_name
|
| MessageId | target.resource.product_object_id
|
| ParticipantInfo.HasForeignTenantUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasGuestUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasOtherGuestUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.HasUnauthenticatedUsers | security_result.detection_fields.key/value
|
| ParticipantInfo.ParticipatingTenantIds | security_result.detection_fields.key/value
|
RemovableMediaUnmount
다음 표에는 RemovableMediaUnmount 작업과 Endpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| MDATPDeviceId | target.asset.asset_id
|
| Platform | target.labels.key/value
|
| Scope | target.labels.key/value
|
| RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
| RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
| RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
FileUploadedToCloud
다음 표에는 FileUploadedToCloud 작업과 Endpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_SYNC.
|
|
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value
|
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value
|
| EnforcementMode | target.labels.key/value
|
| EvidenceFile.FullUrl | target.file.full_path
|
| EvidenceFile.StorageName | target.file.names
|
| Hidden | security_result.detection_fields.key/value
|
| JitTriggered | security_result.detection_fields.key/value
|
| MDATPDeviceId | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.Count | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.Confidence | security_result.detection_fields.key/value
|
| SensitiveInfoTypeData.SensitiveInfoTypeName | security_result.detection_fields.key/value
|
| TargetPrinterName | target.asset.hostname
|
target.asset.type is set to PRINTER | |
| TargetDomain | target.labels.key/value
|
GenerateDataflowSasToken
다음 표에는 GenerateDataflowSasToken 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS.
|
|
| DataflowAccessTokenRequestParameters.entityName | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.partitionUri | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.permissions | principal.labels.key/value
|
| DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes | principal.labels.key/value
|
| DataflowId | target.resource.product_object_id
|
| DataflowName | target.resource.name
|
| IsSuccess |
If
else |
| ItemName | target.labels.key/value |
GenerateScreenshot
다음 표에는 GenerateScreenshot 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
MDCAssessments
다음 표에는 MDCAssessments 작업과 CompliancePostureManagement 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
|
|
| PropertyBag.AssessmentStatusPerInitiative.ArnEventId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.CloudProvider | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.CustomerResourceId | about.resource.product_object_id
|
| PropertyBag.AssessmentStatusPerInitiative.EventType | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.ResourceName | about.resource.name
|
| PropertyBag.AssessmentStatusPerInitiative.ResourceType | about.resource.resource_subtype
|
| PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusCode | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.SubscriptionId | about.labels.key/value
|
| PropertyBag.AssessmentStatusPerInitiative.SubscriptionName | about.labels.key/value
|
| PropertyBag.DataType | about.labels.key/value |
RemovableMediaMount
다음 표에는 RemovableMediaMount 작업과 Endpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| MDATPDeviceId | target.asset.asset_id
|
| Platform | target.labels.key/value
|
| Scope | target.labels.key/value
|
| RemovableMediaDeviceAttributes.Manufacturer | target.asset.hardware.manufacturer
|
| RemovableMediaDeviceAttributes.Model | target.asset.hardware.model
|
| RemovableMediaDeviceAttributes.SerialNumber | target.asset.hardware.serial_number
|
SignInEvent
다음 표에는 SignInEvent 작업과 SharePoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED.
|
|
| AuthenticationType | principal.labels.key/value
|
| BrowserName | principal.labels.key/value
|
| BrowserVersion | principal.labels.key/value
|
| DeviceDisplayName | principal.labels.key/value
|
| IsManagedDevice | principal.labels.key/value
|
ApprovedRequest
다음 표에는 ApprovedRequest 작업과 MicrosoftTeams 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
|
|
| ItemName | target.labels.key/value
|
CreateForm
다음 표에는 CreateForm 작업과 MicrosoftForms 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION.
|
|
| FormsUserType | target.labels.key/value
|
| SourceApp | principal.application
|
ListForms
다음 표에는 ListForms 작업과 MicrosoftForms 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
MDCRegulatoryComplianceAssessments
다음 표에는 MDCRegulatoryComplianceAssessments 작업과 CompliancePostureManagement 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
|
|
| PropertyBag.DataType | about.labels.key/value
|
| PropertyBag.Policy.ArnEventId | about.labels.key/value
|
| PropertyBag.Policy.Description | about.labels.key/value
|
| PropertyBag.Policy.DetailsLink | about.labels.key/value
|
| PropertyBag.Policy.EventTime | about.labels.key/value
|
| PropertyBag.Policy.EventType | about.labels.key/value
|
| PropertyBag.Policy.PolicyInitiativeId | about.labels.key/value
|
| PropertyBag.Policy.PolicyInitiativeName | about.labels.key/value
|
PreviewForm
다음 표에는 PreviewForm 작업과 MicrosoftForms 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
|
ViewedApprovalRequest
다음 표에는 ViewedApprovalRequest 작업과 MicrosoftTeams 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
|
|
| ItemName | target.labels.key/value
|
ListCreated
다음 표에는 ListCreated 작업과 SharePoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.UniqueTokenId | target.labels.key/value
|
| ListColor | target.labels.key/value
|
| ListIcon | target.labels.key/value
|
SiteColumnCreated
다음 표에는 SiteColumnCreated 작업과 OneDrive 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| ObjectId | target.resource.product_object_id
|
ListViewUpdated
다음 표에는 ListViewUpdated 작업과 SharePoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| AppAccessContext.UniqueTokenId | target.labels.key/value |
| AuthenticationType | principal.labels.key/value |
| BrowserName | principal.labels.key/value |
| BrowserVersion | principal.labels.key/value |
| CustomizedDoclib | principal.labels.key/value |
| DeviceDisplayName | principal.labels.key/value |
| FromApp | principal.labels.key/value |
| IsManagedDevice | principal.labels.key/value |
| ItemCount | target.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseTemplateType | target.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListColor | target.labels.key/value |
| ListIcon | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListTitle | about.labels.key/value |
| ObjectId | target.url |
| Platform | target.labels.key/value |
| RecordType | security_result.detection_fields.key/value |
| Site | target.labels.key/value |
| Source | security_result.description |
| TemplateTypeId | about.labels.key/value |
| WebId | about.labels.key/value |
TeamUserSignedOut
다음 표에는 TeamsUserSignedOut 작업과 MicrosoftTeams 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_LOGOUT.
|
|
extension.auth.auth_type is mapped to SSO.
|
|
| ChannelGuid | target.labels.key/value |
| ChannelName | target.labels.key/value |
| ChatName | target.group.group_display_name |
| ChatThreadId | target.user.group_identifiers |
| DeviceInformation | principal.labels.key/value |
| ItemName | target.labels.key/value |
| MessageId | target.labels.key/value |
| MessageVersion | target.labels.key/value |
| ObjectId | target.labels.key/value |
| TeamGuid | target.group.product_object_id |
| TeamName | target.group.group_display_name |
| UserKey | target.labels.key/value |
| UserType | target.user.attribute.roles |
| Version | metadata.product_version |
작업공간 가져오기
다음 표에는 GetWorkspaces 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| Activity | about.labels.key/value |
| ActivityId | about.labels.key/value |
| AggregatedWorkspaceInformation.WorkspaceCount | target.labels.key/value |
| AggregatedWorkspaceInformation.WorkspacesByCapacitySku | target.labels.key/value |
| AggregatedWorkspaceInformation.WorkspacesByType | target.labels.key/value |
| IsSuccess | security_result.action |
| UserAgent | network.http.user_agent |
ConnectFromExternalApplication
다음 표에는 ConnectFromExternalApplication 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| Activity | about.labels.key/labels |
| CustomData | about.labels.key/value |
작업 목록 읽기
다음 표에는 TaskListRead 작업과 Planner 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| UserKey | principal.labels.key/labels |
| ObjectId | target.labels.key/labels |
| TaskList | target.labels.key/value |
PutConnection
다음 표에는 PutConnection 작업과 PowerApps 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ObjectId | target.labels.key/value |
| Version | metadata.product_version |
| AdditionalInfo.actionName | security_result.detection_fields.key/value |
| ResourceId | target.labels.key/value |
| UserKey | target.label.key/value |
| AdditionalInfo.environmentName | target.labels.key/value |
AdminSubmissionTablAllow
다음 표에는 AdminSubmissionTablAllow 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to GENERIC_EVENT. |
|
| SubmissionContent | security_result.detection_fields.key/value |
| SubmissionContentType | security_result.detection_fields.key/value |
| ObjectId | target.labels.key/value |
| Recipients | network.email.to |
| SubmissionState | security_result.summary |
| SubmissionId | security_result.detection_fields.key/value |
| ExtendedProperties | principal.labels.key/value
If Else |
| SubmissionConfidenceLevel | security_result.detection_fields.key/value |
| SubmissionType | security_result.detection_fields.key/value |
| MessageDate | about.labels.key/value |
| P1SenderDomain | principal.administrative_domain |
| UserKey | target.label.key/value |
| P2SenderDomain | about.administrative_domain |
| Subject | network.email.subject |
| Version | metadata.product_version |
연락처를 추가합니다.
다음 표에는 Add contact. 작업과 AzureActiveDirectory 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_CREATION.
|
|
| ObjectId | target.labels.key/value |
| IntraSystemId | target.resource.attribute.labels.key/value |
| ActorContextId | principal.labels.key/value |
| SupportTicketId | about.labels.key/value |
| InterSystemsId | target.resource.attribute.labels.key/value |
| TargetContextId | target.labels.key/value |
| UserKey | target.label.key/value |
| Target | security_result.detection_fields.key/value |
| AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
| Actor | security_result.detection_fields.key/value |
| Version | metadata.product_version |
| ExtendedProperties | target.resource.attribute.labels.key/value
If Else |
| ModifiedProperties | target.resource.name
If Else if Else |
WorkspacePortalUrlReceived
다음 표에는 WorkspacePortalUrlReceived 작업과 MicrosoftDefenderForIdentity 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ResultDescription | security_result.detection_fields.key.value |
| UserKey | target.labels.key/value |
PutConnectionPermission
다음 표에는 PutConnectionPermission 작업과 PowerApps 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE.
|
|
| ObjectId | target.labels.key/value |
| Version | metadata.product_version |
| AdditionalInfo.actionName | security_result.detection_fields.key/value |
| ResourceId | target.resource.attribute.labels.key/value |
| UserKey | target.label.key/value |
| AdditionalInfo.environmentName | target.resource.attribute.labels.key/value |
| AdditionalInfo.targetObjectId | target.resource.product_object_id |
SensitivityLabeledFileOpened
다음 표에는 SensitivityLabeledFileOpened 작업과 PublicEndpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_OPEN.
|
|
| PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
| CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
| DeviceName | target.hostname |
| CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| CurrentProtectionType.owner | security_result.about.email_addresses |
| TargetLocation | target.labels.key/value |
| UserKey | target.labels.key/value |
| LabelId | target.labels.key/value |
| CurrentProtectionType.templateId | security_result.detection_fields.key/value |
| ProtectionEventType | security_result.detection_fields.key/value |
| ContentType | target.labels.key/value |
| Platform | target.platform |
| UserSku | principal.labels.key/value |
| PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| ObjectId | target.url |
| PreviousProtectionType.owner | security_result.about.email_addresses |
| Application | principal.application |
| PreviousProtectionType.templateId | security_result.detection_fields.key/value |
Validate
다음 표에는 Validate 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| ResultCount | target.labels.key/value |
| DataType | security_result.description |
| UserKey | target.labels.key/value |
| AadAppId | target.labels.key/value |
| RelativeUrl | target.url |
SensitivityLabeledFileRenamed
다음 표에는 SensitivityLabeledFileRenamed 작업과 PublicEndpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_MOVE.
|
|
| PreviousProtectionType.protectionType | security_result.detection_fields.key/value |
| CurrentProtectionType.protectionType | security_result.detection_fields.key/value |
| DeviceName | target.hostname |
| CurrentProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| CurrentProtectionType.owner | security_result.about.email_addresses |
| TargetLocation | target.labels.key/value |
| UserKey | target.labels.key/value |
| LabelId | target.labels.key/value |
| CurrentProtectionType.templateId | security_result.detection_fields.key/value |
| ProtectionEventType | security_result.detection_fields.key/value |
| ContentType | target.labels.key/value |
| Platform | target.platform |
| UserSku | principal.labels.key/value |
| PreviousProtectionType.documentEncrypted | security_result.detection_fields.key/value |
| ObjectId | target.url |
| PreviousProtectionType.owner | security_result.about.email_addresses |
| Application | principal.application |
| PreviousProtectionType.templateId | security_result.detection_fields.key/value |
| PreviousTarget | src.url |
할 일이 수정됨
다음 표에는 TaskModified 작업과 Planner 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN.
|
|
| PlanId | target.resource.attribute.labels.key/value |
| UserKey | target.labels.key/value |
| ObjectId | target.resource.product_object_id |
타일 삭제
다음 표에는 TaskModified 작업과 PowerBI 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_DELETION.
|
|
| WorkspaceId | target.resource.product_object_id |
| WorkSpaceName | target.resource.name |
| UserKey | target.labels.key/value |
| ActivityId | principal.labels.key/value |
| RefreshEnforcementPolicy | security_result.detection_fields.key/value |
| RequestId | about.labels.key/value |
| IsSuccess | security_result.action |
| UserAgent | network.http.user_agent |
| ObjectId | target.resource.attribute.labels.key/value |
스팸 출시 메시지
다음 표에는 QuarantineReleaseMessage 작업과 Quarantine 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| NetworkMessageId | security_result.detection_fields.key/value |
| ReleaseTo | security_result.detection_fields.key/value |
| RequestType | security_result.detection_fields.key/value |
| RequestSource | security_result.detection_fields.key/value |
WorkspaceStatusReceived
다음 표에는 WorkspaceStatusReceived 작업과 MicrosoftDefenderForIdentity 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE.
|
|
| ResultDescription | security_result.detection_fields.key/value |
LinkedEntity 업데이트됨
다음 표에는 LinkedEntityUpdated 작업과 MicrosoftTodo 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN.
|
|
| ActorAppId | target.labels.key/value |
| ItemId | security_result.detection_fields.key/value and target.resource.product_object_id |
| ItemType | target.resource.attribute.labels.key/value |
| TargetActorId | target.labels.key/value |
| TargetActorTenantId | target.labels.key/value |
응답 보기
다음 표에는 ViewResponse 작업과 MicrosoftForms 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT. |
|
| FormsUserTypes | principal.labels.key/value |
| SourceApp | principal.application |
| FormName | target.resource.name |
| FormId | target.resource.product_object_id |
계획 목록 읽기
다음 표에는 PlanListRead 작업과 Planner 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to RESOURCE_READ.
|
|
| PlanList | target.resource.product_object_id |
| ObjectId | target.resource.attribute.labels.key/value |
O365SyncAdminUser프로모션
다음 표에는 O365SyncAdminUserPromotion 작업과 Yammer 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to STATUS_UPDATE. |
|
| ActorUserId | principal.user.email_addresses or principal.user.userid |
| ActorYammerUserId | principal.labels.key/value |
| ObjectId | target.labels.key/value |
| YammerNetworkId | principal.labels.key/value |
클립보드로 복사
다음 표에는 FileCopiedToClipboard 작업과 Endpoint 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED. |
|
| Application | principal.application |
| DeviceName | target.hostname |
| DlpAuditEventMetadata.DlpPolicyMatchId | security_result.detection_fields.key/value |
| DlpAuditEventMetadata.EvaluationTime | security_result.detection_fields.key/value |
| EnforcementMode | target.labels.key/value |
| EvidenceFile.FullUrl | target.labels.key/value |
| EvidenceFile.StorageName | target.labels.key/value |
| FileExtension | target.file.mime_type |
| FileType | target.resource.attribute.labels.key/value |
| Hidden | security_result.detection_fields.key/value |
| JitTriggered | security_result.detection_fields.key/value |
| MDATPDeviceId | security_result.detection_fields.key/value |
| ObjectId | target.file.full_path |
| Platform | target.labels.key/value |
| PolicyMatchInfo | target.resource.product_object_id
|
| SensitiveInfoTypeData | security_result.detection_fields.key/value
|
| Scope | target.labels.key/value |
| RMSEncrypted | security_result.detection_fields.key/value |
| SensitivityLabelEventData.SensitivityLabelId | security_result.detection_fields.key/value |
| SourceLocationType | principal.labels.key/value |
| TargetDomain | target.domain.name |
| TargetFilePath | target.labels.key/value |
| OriginatingDomain | principal.domain.name |
파일 스크립트 콘텐츠 액세스
다음 표에는 FileTranscriptContentAccessed 작업과 OneDrive 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to FILE_READ. |
|
| AlternateStreamId | security_result.detection_fields.key/value |
| ApplicationDisplayName | target.application and target.resource.name |
| ApplicationId | target.resource.product_object_id |
| AuthenticationType | principal.labels.key/value |
| AppAccessContext.UniqueTokenId | target.labels.key/value |
| BrowserName | principal.labels.key/value |
| BrowserVersion | principal.labels.key/value |
| DeviceDisplayName | principal.labels.key/value |
| IsManagedDevice | principal.labels.key/value |
| EventSource | principal.application |
| HighPriorityMediaProcessing | about.labels.key/value |
| ItemType | target.resource.attribute.labels.key/value |
| ListBaseType | target.labels.key/value |
| ListId | security_result.detection_fields.key/value |
| ListItemUniqueId | principal.asset_id |
| ListServerTemplate | security_result.detection_fields.key/value |
| ObjectId | target.url |
| Platform | target.labels.key/value |
| Site | target.labels.key/value |
| SiteUrl | network.http.referral_url |
| SourceFileExtension | target.file.mime_type |
| SourceFileName | target.file.full_path is mapped to SourceRelativeUrl/SourceFileName. |
| SourceRelativeUrl | target.file.full_path is mapped to SourceRelativeUrl/SourceFileName. |
| UserAgent | network.http.user_agent |
| WebId | about.labels.key/value |
Set-DlpCompliancePolicy
다음 표에는 Set-DlpCompliancePolicy 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
|
|
| ClientApplication | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| ObjectId | target.resource.product_object_id |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserKey | target.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |
Remove-DlpCompliancePolicy
다음 표에는 Remove-DlpCompliancePolicy 작업과 SecurityComplianceCenter 워크로드의 로그 필드와 해당 UDM 매핑이 나와 있습니다.
| Log field | UDM mapping |
|---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION.
|
|
| ClientApplication | principal.labels.key/value |
| CmdletVersion | metadata.product_version |
| EffectiveOrganization | target.administrative_domain |
| ObjectId | target.resource.product_object_id |
| Parameters | target.process.command_line |
| SecurityComplianceCenterEventType | about.labels.key/value |
| StartTime | target.resource.attribute.creation_time |
| UserKey | target.labels.key/value |
| UserServicePlan | principal.labels.key/value |
| Version | metadata.product_version |