Mantenha tudo organizado com as coleções Salve e categorize o conteúdo com base nas suas preferências.

Coletar registros do Microsoft 365

Neste documento, descrevemos como coletar registros do Microsoft 365 configurando um feed do Chronicle e como os campos de registro são mapeados para os campos do Modelo de dados unificado (UDM, na sigla em inglês) do Chronicle. Este documento também lista as atividades auditadas e as versões compatíveis do Microsoft 365.

Para uma visão geral sobre a ingestão de dados no Chronicle, consulte Ingestão de dados no Chronicle.

Visão geral

O diagrama da arquitetura de implantação a seguir mostra como o Microsoft 365 e o feed do Chronicle são configurados para enviar registros ao Chronicle. Cada implantação do cliente pode ser diferente dessa representação e ser mais complexa.

Arquitetura de implantação

O diagrama da arquitetura mostra os seguintes componentes:

  • Microsoft 365 O serviço do Microsoft 365 do qual você coleta registros.

  • Feed do Chronicle. O feed do Chronicle que busca registros no Microsoft 365 e grava registros no Chronicle.

  • Chronicle (em inglês). O Chronicle retém e analisa os registros do Microsoft 365.

Um identificador de ingestão identifica o analisador que normaliza os dados de registro brutos no formato UDM estruturado. As informações neste documento se aplicam ao analisador com o rótulo de ingestão OFFICE_365.

Antes de começar

  • Use o Microsoft 365 versão 2204 Build 16.0.15128.20248 ou mais recente e verifique se você tem uma assinatura do Microsoft 365 Enterprise E5 com o recurso da Central de segurança e conformidade da Microsoft.

  • Conceda os privilégios e permissões necessários ao usuário para gerar e exportar eventos diferentes para todos os produtos da Microsoft com suporte. Para um exemplo de permissão, consulte Permissões para acessar APIs de gerenciamento.

  • Configure o Microsoft 365 para pesquisar e exportar registros. O Microsoft Azure Active Directory (Azure AD) é o serviço de diretório do Microsoft 365. A geração dos registros leva até 24 horas. Veja mais informações em Pesquisar o registro de auditoria.

  • Verifique se todos os sistemas na arquitetura de implantação estão configurados no fuso horário UTC.

  • Revise as atividades e os produtos compatíveis com o analisador do Chronicle. A tabela a seguir lista as atividades e os produtos compatíveis com o analisador do Chronicle:

    Atividades Produtos
    Atividades de arquivos e páginas SharePoint Online e OneDrive for Business
    Atividades da pasta SharePoint Online e OneDrive for Business
    Atividades da lista do SharePoint SharePoint Online
    Atividades de solicitação de compartilhamento e acesso SharePoint Online e OneDrive for Business
    Atividades de sincronização SharePoint Online e OneDrive for Business
    Atividades de permissão do site SharePoint Online
    Atividades de administração de local SharePoint Online
    Atividades da caixa de e-mails do Exchange Caixas de e-mails de grupo do Microsoft 365
    Atividades de administração de usuários Central de administradores do Microsoft 365
    Atividades de administração de grupos do Azure AD Central de administradores do Microsoft 365
    Atividades de administração do aplicativo Quando um administrador adiciona ou altera um aplicativo registrado no Azure AD
    Atividades de administração de papéis Central de administradores do Microsoft 365
    Atividades de administração de diretórios Central de administradores do Microsoft 365
    Atividades de BI de energia Power BI
    Atividades do Microsoft Teams Microsoft Teams
    O Microsoft Teams alterna atividades Muda o app no Microsoft Teams
    Atividades do Microsoft Teams no Healthcare Aplicação de pacientes no Microsoft Teams
    O Microsoft Teams alterna atividades Muda o app no Microsoft Teams
    Atividades do Yammer Yammer
    Atividades do Microsoft Power Automate Power Automate (antigo Microsoft Flow)
    Atividades do Microsoft PowerApps Apps avançados
    Atividades do Microsoft Stream Fluxo da Microsoft
    Colocar em quarentena atividades Colocar mensagens de e-mail em quarentena no Office 365
    Atividades no Formulários Google Microsoft Teams
    Atividades do marcador de sensibilidade Como marcar atividades no SharePoint Online e em equipes
    Política de retenção e atividades do rótulo de retenção Não relevante
    Atividades do e-mail de resumo E-mail de notícias
    Atividades do MyAnalytics MyAnalytics
    Atividades de barreira de informações Não relevante
    Atividades de revisão de disposição Não relevante
    Atividades de conformidade da comunicação Não relevante
    Atividade indefinida Não relevante

Configure um feed no Chronicle para ingerir registros do Microsoft 365

  1. Acesse as configurações do Chronicle e clique em Feeds.
  2. Clique em Adicionar novo.
  3. Selecione API de terceiros em Tipo de origem.
  4. Selecione Office 365 em Tipo de registro.
  5. Clique em Próxima.
  6. Com base na configuração do Microsoft 365, especifique os detalhes do ID do cliente OAuth, Chave secreta do cliente OAuth e ID do locatário.
  7. Selecione o Tipo de conteúdo para o qual você está criando esse feed. Crie um feed separado para cada tipo de conteúdo necessário.
  8. Clique em Próxima e em Enviar.

Para mais informações sobre feeds do Chronicle, consulte a documentação relacionada. Para informações sobre os requisitos de cada tipo de feed, consulte Configuração de feed por tipo.

Referência de mapeamento de campo

Nesta seção, explicamos como o analisador do Chronicle mapeia os campos de registro do Microsoft 365 para os campos do Chronicle Unified Data Model (UDM) para as operações e cargas de trabalho compatíveis.

Campos comuns

A tabela a seguir lista os campos de registro comuns e os campos de UDM correspondentes.

Common log field UDM field
ID metadata.product_log_id
RecordType

security_result.detection_fields.key/value

security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc

security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc

CreationTime metadata.event_timestamp
Operation metadata.product_event_type
OrganizationId principal.resource.product_object_id
UserType principal.user.attribute.roles.name
UserId

principal.user.email_addresses or principal.user.userid

target.user.email_addresses or target.user.userid

If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user

If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.

ClientIP principal.ip and principal.port
Workload target.application
AppAccessContext

network.session.id security_result.detection_fields.key/value

AADSessionId is mapped to network.session.id

CorrelationId is mapped to security_result.detection_fields.key/value

Para informações de referência sobre mapeamentos de UDM para operações compatíveis, consulte as seguintes seções:

Acessado pelo arquivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Fileaccessed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileAccessedExtended

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileAccessedExtended" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Arquivo excluído

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeleted" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Arquivo copiado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCopy" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Arquivo modificado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileModified" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

Download de arquivo concluído

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDownloads" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
UserSessionId network.http.session_id
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ZipFileName principal.resource.parent

Arquivo modificado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileModifiedExtended" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

Arquivo movido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileMove" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Visualização do arquivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FilePreviewed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Arquivo renomeado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileRenamed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

Arquivo enviado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileLoaded" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ImplicitShare target.resource.attribute.labels.key/value

FileVersionsAllDeleted

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllDeleted" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
WebId about.labels.key/value

Arquivo verificado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckedIn" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName workload map with intermediary.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckedOut

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckedOut" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site Uniquely Identify resource in site like File or Folder
ItemType This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource principal.application
SourceName principal.labels.key/value
UserAgent Information about the user's browser. This information is provided by the browser.
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ComplianceSettingChanged

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ComplianceSettingChanged" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
SharingType target.labels.key/value

Gravação de bloqueio

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "LockRecord" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Desbloquear registro

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnlockRecord" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

File FirstFirstStageRecycleBin

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeletedFirstStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedSecondsStageRecycleBin

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileDeletedSecondsStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Exclusão de registro

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RecordDelete" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SensitivityMismatchDetected

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "DocumentSensitivityMismatchDetected" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SensitivityMismatchDetected

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "DocumentSensitivityMismatchDetected" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ArquivoCheckOutDescartared

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileCheckOutDescartared" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllMenorsReciclados

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllSmallsRecycled" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllRecycled

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionsAllRecycled" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionReciclado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileVersionRecycled" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Arquivo restaurado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileRestored" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value
SharingType target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileMalwareDetected

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileMalwareDetected" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
VirusInfo security_result.threat_name
VirusVendor target.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SearchQueryPerformed

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SearchQueryPerformed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventData target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Visualização de página

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PageViewed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pré-busca de página

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PagePrefetched" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientViewSigned

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ClientViewSignaled" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Visualização de página estendida

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PageViewedExtended" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Pasta criada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pasta excluída

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeleted" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pasta movida

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderMove" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl field not getting in log

DestinationRelativeUrl DestinationRelativeUrl field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileName DestinationFileName field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pasta renomeada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderRenamed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderModified

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderModified" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pasta copiada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderCOPY" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
DestinationRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Pasta restaurada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderRestored" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeleteFirstStageRecycleBin

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeletedFirstStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedSegundaStageRecycleBin (Pasta excluída)

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FolderDeletedSecondsStageRecycleBin" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadsFull

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncDownloadsFull" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadsPartial

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncDownloadsPartial" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to src.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadFull

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncLoadedFull" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadParcial

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "FileSyncLoadedPartial" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ManagedSyncClientAllowed

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ManagedSyncClientAllowed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnmanagedSyncClientBlock

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnmanagedSyncClientBlock" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

Adicionado agrupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AddedToGroup" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.group.group_display_name
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Adicionado em grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupAdded" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Grupo removido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupRemoved" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebRequestAccessModified

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "WebRequestAccessModified" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value
ItemType target.resource.attribute.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebMembersCanShareModified

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "WebMembersCanShareModified" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value
version metadata.product_version
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Nível de permissão modificado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelModified" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

version metadata.product_version
WebID about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminAdicionado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SiteCollectionAdminAdded" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminRemoved

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SiteCollectionAdminRemoved" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId about.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Nível de permissão removido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelRemoved" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Removido do grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RemovedFromGroup" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.group.group_display_name
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

Atualizado em grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "GroupUpdated" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.referral_url
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

ProjetoCheckedOut

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ProjectCheckedOut" e a carga de trabalho "Project":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

Acesso ao projeto

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ProjectAccessed" e a carga de trabalho "Project":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value

Compartilhamento de herança corrompido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareInheritanceBroken" e a carga de trabalho "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ApplicationDisplayName target.application

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AddedToSecureLink" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId target.labels.key/value
Version metadata.product_version
WebId about.labels.key/value
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ApplicationDisplayName target.application

LinkLink criado pela empresa

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
ApplicationDisplayName target.application

LinkLinkUsadodaEmpresa

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkUsed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

SecureLinkCreated

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value

ConviteCompartilhado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkExcluído

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkDeleted" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "RemovedFromSecureLink" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

ConvitePorRevogação

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationRevogar" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkUpdated

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkUpdated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value

SecureLinkUsed (em inglês)

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "SecureLinkUsed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Compartilhamento revogado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareRevogard" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Conjunto de compartilhamento

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareSet" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Nível de permissão adicionado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "PermissionLevelAdded" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

CompartilhamentoDeConviteAceito

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ShareInvitationAccepted" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.name

Added to Group is mapped to target.resource.name

Compartilhamento de convite bloqueado

Na tabela a seguir, estão listados os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationBloqueado" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData security_result.summary

Reason is mapped to security_result.summary

AccessRequestCreated

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

Link anônimo criado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkCreated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value

AccessRequestUpdated

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestUpdated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

ModifiedProperties target.labels.key/value

EmpresaLinkRemovido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "CompanyLinkRemoved" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

AccessRequestAprovada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "AccessRequestApprove" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value
EventData target.resource.name

Extract using grok

grok {

match is mapped to {

EventData <Added to group>{target_resource_name}.*

}

}

TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

Linkanônimo removido

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkRemoved" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Site target.labels.key/value
UserAgent network.http.user_agent
WebId about.labels.key/value
EventData target.resource.attribute.labels.key/value
SourceFileExtension target.file.mime_type
UniqueSharingId target.labels.key/value
SiteUrl network.http.referral_url

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName principal.labels.key/value
MachineDomainInfo target.asset.attribute.labels.key/value
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
MachineId target.asset.product_object_id

Link anônimo atualizado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkUpdated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
WebId about.labels.key/value
UniqueSharingId target.labels.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

Convite atualizado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "sharingInvitationUpdated" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
ApplicationDisplayName target.application
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value
ModifiedProperties target.labels.key/value
event_type is mapped to USER_RESOURCE_ACCESS
Site target.labels.key/value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value

Link anônimo usado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UnknownLinkUsed" e a carga de trabalho "SharePoint/OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ResultStatus is Success

Action is set to ALLOW

security_result.summary is set to Group creation successful

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is set to Group creation failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set toGroup membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar membro ao grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar membro ao grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else map about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add user" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Alterar licença de usuário.

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Alterar licença de usuário" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Mudar a senha do usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Alterar senha do usuário" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group deletion successful

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group deletion failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Excluir grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Remover participante do grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Remover membro do grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

if status is Success then

action ALLOW

security_result.summary User deleted successfully

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Excluir usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir usuário" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success

Action is set to ALLOW

security_result.summary is User updated successfully

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is User update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Atualizar usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar usuário" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Atualizar grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

If ResultStatus is Succeeded or ResultStatus is Success

security_result.action is ALLOW

security_result.summary is User login successful

else if ResultStatus is Failed or LogonError !is

security_result.action is BLOCK

security_result.summary is User login failed

security_result.description is {LogonError}

UserId is mapped to target.user.userid or target.user.email_addresses

metadata.description is User Login - {Workload}

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is match to Windows then principal.platform is WINDOWS

If Value is match to Mac then principal_plateform is MAC

if Value is match to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

Usuário conectado

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UserRegisterIn" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

security_result.Action is set to BLOCK

security_result.summary is User login failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE

If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE

If Name is UserAgent then Value is mapped to network.http.user_agent

If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type

If Name is requestType then Based on Value it will map with extensions.auth.type

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is matched to Windows then principal.platform is WINDOWS

If Value is matched to Mac then principal_plateform is MAC

if Value is matched to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

Falha de login do usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "UserLoginFailed" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.labels.key/value
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Atualizar StsRefreshTokenValidFrom

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Update StsRefreshTokenValidFrom Timestamp" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summary

If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Atualizar dispositivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar dispositivo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Definir configurações de federação no domínio

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Definir configurações de federação no domínio" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Verificar domínio

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Verificar domínio" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Definir informações da empresa

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Definir informações da empresa" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Redefinir senha do usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Reset user password" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.description

security_result.summary

target.labels.key/value

If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue}

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Desativar conta

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Desativar conta" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Excluir senha de app do usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Delete application password for user" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Excluir dispositivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Excluir dispositivo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar usuários registrados ao dispositivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar usuários registrados ao dispositivo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar proprietário registrado ao dispositivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar proprietário registrado ao dispositivo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar proprietário ao grupo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar proprietário ao grupo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar OAuth2PermissionGrant

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add OAuth2PermissionGrant" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar dispositivo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Add device" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.resource.product_object_id

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetObjectId then Value is mapped to target.resource.product_object_id

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar a atribuição de função do app ao usuário

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar concessão de função de app ao usuário" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSION

Workload is mapped to intermediary.application

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties target.application

network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is targetName then Value is mapped to target.application

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.user.userid or target.user.email_addresses

If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Consent to application" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Atualizar principal do serviço

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Atualizar serviço principal" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar principal de serviço

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar serviço principal" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Remover principal de serviço

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Remover principal de serviço" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value

Adicionar participante à função

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar membro ao papel" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Added a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Added a user to an admin role failed

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.user.attribute.roles.name

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
Version metadata.product_version

Remover membro da função

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Remover membro da função" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is Removed a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is Removed a user to an admin role failed

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

ModifiedProperties target.resource.product_object_id

target.user.attribute.roles.name

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

Adicionar rótulo

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Adicionar rótulo" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is set to target.resource.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value

If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent

if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value

else

about.labels.key/value

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value
Version metadata.product_version

Criar a empresa

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "Create company" e a carga de trabalho "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

ObjectId is set to target.resource.product_object_id

AddOnGuid target.labels.key/value
AddOnName target.labels.key/value
AddOnType target.labels.key/value
ChannelGuid target.labels.key/value
ChannelName target.labels.key/value
ChannelType target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value
TeamGuid target.labels.key/value
TeamName target.group.group_display_name
Version metadata.product_version

TeamsSession iniciada

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "TeamsSessionStarted" e a carga de trabalho "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupAdded

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ScheduleGroupAdded" e a carga de trabalho "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value
ExtraProperties additional.fields.key/value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupEdited

A tabela a seguir lista os campos de registro e os mapeamentos de UDM correspondentes para a operação "ScheduleGroupEdited" e a carga de trabalho "MicrosoftTeams":