Muokkaa

Jaa


EnrichedMicrosoft365AuditLogs

This table is part of Identity and Network Access, which contains Enriched Microsoft 365 Audit logs. These logs can be leveraged for policy, risk, and traffic management, as well as to monitor users experience.

Table attributes

Attribute Value
Resource types -
Categories Security, Network, IT & Management Tools
Solutions LogManagement
Basic log No
Ingestion-time transformation No
Sample Queries -

Columns

Column Type Description
ActorUserType string The type of user that performed the operation. Possible types includes: Admin, System, Application, Service Principal and Other.
AdditionalProperties dynamic Additional activity fields
_BilledSize real The record size in bytes
ClientIp string The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
DeviceId string The ID of the source device as reported in the record.
DeviceOperatingSystem string The client connecting operating system type.
DeviceOperatingSystemVersion string The client connecting operating system version.
Id string Unique identifier of an audit record.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
ObjectId string For SharePoint and OneDrive for business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
Operation string The name of the user or admin activity that performed the activity.
OrganizationId string The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
RecordType int The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.
ResultStatus string Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.
SourceIp string The IP address from which the connection or session originated.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TimeGenerated datetime The date and time in UTC when the user performed the activity.
Type string The name of the table
UniqueTokenId string The unique token identifier
UserId string The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
UserKey string An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
UserType string The type of user that performed the operation.
Workload string The Office 365 service where the activity occurred.