편집

다음을 통해 공유


Office 365 Management Activity API schema

The Office 365 Management Activity API schema is provided as a data service in two layers:

  • Common schema. The interface to access core Office 365 auditing concepts such as Record Type, Creation Time, User Type, and Action as well as to provide core dimensions (such as User ID), location specifics (such as Client IP address), and service-specific properties (such as Object ID). It establishes consistent and uniform views for users to extract all Office 365 audit data in a few top level views with the appropriate parameters, and provides a fixed schema for all the data sources, which significantly reduces the cost of learning. Common schema is sourced from product data that is owned by each product team, such as Exchange, SharePoint, Azure Active Directory, Yammer, and OneDrive for Business. The Object ID field can be extended by Microsoft 365 product teams to add service-specific properties.

  • Service-specific schema. Built on top of the Common schema to provide a set of Microsoft 365 service-specific attributes; for example, SharePoint schema, OneDrive for Business schema, and Exchange admin schema.

Office 365 Management API schemas

This article provides details on the Common schema as well as service-specific schemas. The following table describes the available schemas.

Name of schema Description
Common schema The view to extract Record Type, User ID, Client IP, User type and Action along with core dimensions such as user properties (such as UserID), location properties (such as Client IP), and service-specific properties (such as Object Id).
Copilot schema Events include how and when to interact with Copilot, in which Microsoft 365 service the activity took place, and references to the files stored in Microsoft 365 that were accessed during the interaction.
SharePoint Base schema Extends the Common schema with the properties specific to all SharePoint audit data.
SharePoint File Operations Extends the SharePoint Base schema with the properties specific to file access and manipulation in SharePoint.
SharePoint List Operations Extends the SharePoint Base schema with the properties specific to interactions with lists and list items in SharePoint Online.
SharePoint Sharing schema Extends the SharePoint Base schema with the properties specific to file sharing.
SharePoint schema Extends the SharePoint Base schema with the properties specific to SharePoint, but unrelated to file access and manipulation.
Project schema Extends the SharePoint Base schema with the properties specific to Project.
Exchange Admin schema Extends the Common schema with the properties specific to all Exchange admin audit data.
Exchange Mailbox schema Extends the Common schema with the properties specific to all Exchange mailbox audit data.
OWA Auth schema Extends the Common schema with the properties specific to OWA Auth data.
Microsoft Entra ID Base schema Extends the Common schema with the properties specific to all Microsoft Entra audit data.
Microsoft Entra account Logon schema Extends the Microsoft Entra ID Base schema with the properties specific to all Microsoft Entra logon events.
Microsoft Entra ID Secure STS Logon schema Extends the Microsoft Entra ID Base schema with the properties specific to all Microsoft Entra ID Secure Token Service (STS) logon events.
Microsoft Entra schema Extends the Common schema with the properties specific to all Microsoft Entra audit data.
DLP schema Extends the Common schema with the properties specific to Data Loss Prevention events.
Security and Compliance Center schema Extends the Common schema with the properties specific to all Security and Compliance Center events.
Security and Compliance Alerts schema Extends the Common schema with the properties specific to all Office 365 security and compliance alerts.
Yammer schema Extends the Common schema with the properties specific to all Yammer events.
Data Center Security Base schema Extends the Common schema with the properties specific to all data center security audit data.
Data Center Security Cmdlet schema Extends the Data Center Security Base schema with the properties specific to all data center security cmdlet audit data.
Microsoft Teams schema Extends the Common schema with the properties specific to all Microsoft Teams events.
Microsoft Defender for Office 365 and Threat Investigation and Response schema Extends the Common schema with the properties specific to Defender for Office 365 and threat investigation and response data.
Submission schema Extends the Common schema with the properties specific to user and admin submissions in Microsoft Defender for Office 365.
Automated investigation and response events schema Extends the Common schema with the properties specific to Office 365 automated investigation and response (AIR) events. To see an example, see Tech Community blog: Improve the Effectiveness of your SOC with Microsoft Defender for Office 365 and the O365 Management API.
Hygiene events schema Extends the Common schema with the properties specific to events in Exchange Online Protection and Microsoft Defender for Office 365.
Power BI schema Extends the Common schema with the properties specific to all Power BI events.
Dynamics 365 schema Extends the Common schema with the properties specific to Dynamics 365 events.
Workplace Analytics schema Extends the Common schema with the properties specific to all Microsoft Workplace Analytics events.
Quarantine schema Extends the Common schema with the properties specific to all quarantine events.
Microsoft Forms schema Extends the Common schema with the properties specific to all Microsoft Forms events.
MIP label schema Extends the Common schema with the properties specific to sensitivity labels manually or automatically applied to email messages.
Encrypted message portal event schema Extends the Common schema with the properties specific to encrypted message portal accessed by external recipients.
Communication compliance Exchange schema Extends the Common schema with the properties specific to the Communication compliance offensive language model.
Reports schema Extends the Common schema with the properties specific to all reports events.
Compliance connector schema Extends the Common schema with the properties specific to importing non-Microsoft data by using data connectors.
SystemSync schema Extends the Common schema with the properties specific to data ingested via SystemSync.
Viva Goals schema Extends the Common schema with the properties specific to all Viva Goals events.
Microsoft Planner schema Extends the Common schema with the properties specific to Microsoft Planner events.
Microsoft Project for the web schema Extends the Common schema with the properties specific to Microsoft Project for the web events.
Viva Pulse schema Extends the Common schema with the properties specific to all Viva Pulse events.
Compliance Manager schema Extends the Common schema with the properties specific to Compliance Manager events.
Backup Policy Schema Extends the Common schema with the properties specific to Microsoft 365 Backup Policies.
Restore Task schema Extends the Common schema with the properties specific to Microsoft 365 Backup Restore Tasks.
Backup Item schema Extends the Common schema with the properties specific to Microsoft 365 Backup artifacts.
Restore Item schema Extends the common schema with the properties specific to Microsoft 365 Backup Restore Items.
Cloud Policy service schema Extends the Common schema with the properties specific to all Cloud Policy service audit data.
Cloud Update profile configuration schema Extends the Common schema with the properties specific to the Cloud Update profile configuration audit data.
Cloud Update tenant configuration schema Extends the Common schema with the properties specific to the Cloud Update tenant configuration audit data.
Cloud Update device configuration schema Extends the Common schema with the properties specific to the Cloud Update device configuration audit data.
AAD Risk Detection schema Extends the Common schema with the properties specific to AAD Risk Detection events.

Common schema

EntityType Name: AuditRecord

Parameter Type Mandatory? Description
Id Combination GUIDEdm.Guid Yes Unique identifier of an audit record.
RecordType Self.AuditLogRecordType Yes The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records.
CreationTime Edm.Date Yes The date and time in Coordinated Universal Time (UTC) when the audit log record was generated.
Operation Edm.String Yes The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. For Exchange admin activity, this property identifies the name of the cmdlet that was run. For Dlp events, this can be "DlpRuleMatch", "DlpRuleUndo" or "DlpInfo", which are described under "DLP schema" below.
OrganizationId Edm.Guid Yes The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserType Self.UserType Yes The type of user that performed the operation. See the UserType table for details on the types of users.
UserKey Edm.String Yes An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
Workload Edm.String Yes The Office 365 service where the activity occurred.
ResultStatus Edm.String No Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.

Important: Different workloads may overwrite the value of the ResultStatus property. For example, for Microsoft Entra ID STS logon events, a value of Succeeded for ResultStatus indicates only that the HTTP operation was successful; it doesn't mean the logon was successful. To determine if the actual logon was successful or not, see the LogonError property in the Microsoft Entra ID STS Logon schema. If the logon failed, the value of this property will contain the reason for the failed logon attempt.
ObjectId Edm.string No For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. For Cloud Policy service, the object ID of the policy configuration.
UserId Edm.string Yes The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see The app@sharepoint user in audit records.
ClientIP Edm.String Yes The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.

Also, for Microsoft Entra ID-related events, the IP address isn't logged and the value for the ClientIP property is null.
Scope Self.AuditLogScope No Was this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
AppAccessContext CollectionSelf.AppAccessContext No The application context for the user or service principal that performed the action.

Enum: AuditLogRecordType - Type: Edm.Int32

AuditLogRecordType

Value Member name Description
1 ExchangeAdmin Events from the Exchange admin audit log.
2 ExchangeItem Events from an Exchange mailbox audit log for actions that are performed on a single item, such as creating or receiving an email message.
3 ExchangeItemGroup Events from an Exchange mailbox audit log for actions that can be performed on multiple items, such as moving or deleted one or more email messages.
4 SharePoint SharePoint events.
6 SharePointFileOperation SharePoint file operation events.
7 OneDrive OneDrive for Business events.
8 AzureActiveDirectory Microsoft Entra ID events.
9 AzureActiveDirectoryAccountLogon Microsoft Entra ID OrgId logon events (deprecated).
10 DataCenterSecurityCmdlet Data Center security cmdlet events.
11 ComplianceDLPSharePoint Data loss protection (DLP) events in SharePoint and OneDrive for Business.
13 ComplianceDLPExchange Data loss protection (DLP) events in Exchange, when configured via Unified DLP Policy. DLP events based on Exchange Transport Rules are not supported.
14 SharePointSharingOperation SharePoint sharing events.
15 AzureActiveDirectoryStsLogon Secure Token Service (STS) logon events in Microsoft Entra ID.
16 SkypeForBusinessPSTNUsage Public Switched Telephone Network (PSTN) events from Skype for Business.
17 SkypeForBusinessUsersBlocked Blocked user events from Skype for Business.
18 SecurityComplianceCenterEOPCmdlet Admin actions from the Security & Compliance Center.
19 ExchangeAggregatedOperation Aggregated Exchange mailbox auditing events.
20 PowerBIAudit Power BI events.
21 CRM Dynamics 365 events.
22 Yammer Yammer events.
23 SkypeForBusinessCmdlets Skype for Business events.
24 Discovery Events for eDiscovery activities performed by running content searches and managing eDiscovery cases in the Security & Compliance Center.
25 MicrosoftTeams Events from Microsoft Teams.
28 ThreatIntelligence Phishing and malware events from Exchange Online Protection and Microsoft Defender for Office 365.
29 MailSubmission Submission events from Exchange Online Protection and Microsoft Defender for Office 365.
30 MicrosoftFlow Microsoft Power Automate (formerly called Microsoft Flow) events.
31 AeD Advanced eDiscovery events.
32 MicrosoftStream Microsoft Stream events.
33 ComplianceDLPSharePointClassification Events related to DLP classification in SharePoint.
34 ThreatFinder Campaign-related events from Microsoft Defender for Office 365.
35 Project Microsoft Project events.
36 SharePointListOperation SharePoint List events.
37 SharePointCommentOperation SharePoint comment events.
38 DataGovernance Events related to retention policies and retention labels in the Security & Compliance Center
39 Kaizala Kaizala events.
40 SecurityComplianceAlerts Security and compliance alert signals.
41 ThreatIntelligenceUrl Safe links time-of-block and block override events from Microsoft Defender for Office 365.
42 SecurityComplianceInsights Events related to insights and reports in the Office 365 security and compliance center.
43 MIPLabel Events related to the detection in the Transport pipeline of email messages that have been tagged (manually or automatically) with sensitivity labels.
44 WorkplaceAnalytics Workplace Analytics events.
45 PowerAppsApp Power Apps events.
46 PowerAppsPlan Subscription plan events for Power Apps.
47 ThreatIntelligenceAtpContent Phishing and malware events for files in SharePoint, OneDrive for Business, and Microsoft Teams from Microsoft Defender for Office 365.
48 LabelContentExplorer Events related to data classification content explorer.
49 TeamsHealthcare Events related to the Patients application in Microsoft Teams for Healthcare.
50 ExchangeItemAggregated Events related to the MailItemsAccessed mailbox auditing action.
51 HygieneEvent Events related to outbound spam protection.
52 DataInsightsRestApiAudit Data Insights REST API events.
53 InformationBarrierPolicyApplication Events related to the application of information barrier policies.
54 SharePointListItemOperation SharePoint list item events.
55 SharePointContentTypeOperation SharePoint list content type events.
56 SharePointFieldOperation SharePoint list field events.
57 MicrosoftTeamsAdmin Teams admin events.
58 HRSignal Events related to HR data signals that support the Insider risk management solution.
59 MicrosoftTeamsDevice Teams device events.
60 MicrosoftTeamsAnalytics Teams analytics events.
61 InformationWorkerProtection Events related to compromised user alerts.
62 Campaign Email campaign events from Microsoft Defender for Office 365.
63 DLPEndpoint Endpoint DLP events.
64 AirInvestigation Automated incident response (AIR) events.
65 Quarantine Quarantine events.
66 MicrosoftForms Microsoft Forms events.
67 ApplicationAudit Application audit events.
68 ComplianceSupervisionExchange Events tracked by the Communication compliance offensive language model.
69 CustomerKeyServiceEncryption Events related to the customer key encryption service.
70 OfficeNative Events related to sensitivity labels applied to Office documents.
71 MipAutoLabelSharePointItem Auto-labeling events in SharePoint.
72 MipAutoLabelSharePointPolicyLocation Auto-labeling policy events in SharePoint.
73 MicrosoftTeamsShifts Teams Shifts events.
75 MipAutoLabelExchangeItem Auto-labeling events in Exchange.
76 CortanaBriefing Briefing email events.
78 WDATPAlerts Events related to alerts generated by Windows Defender for Endpoint.
79 PowerAppsResource Events related to Microsoft Power Platform Connectors (Preview).
82 SensitivityLabelPolicyMatch Events generated when the file labeled with a sensitivity label is opened or renamed.
83 SensitivityLabelAction Event generated when sensitivity labels are applied, updated, or removed from a file.
84 SensitivityLabeledFileAction Events generated when a file labeled with a sensitivity label is opened or renamed.
85 AttackSim Events related to user activities in Attack Simulation & Training in Microsoft Defender for Office 365.
86 AirManualInvestigation Events related to manual investigations in Automated investigation and response (AIR).
87 SecurityComplianceRBAC Security and compliance RBAC events.
88 UserTraining Events related to user training in Attack Simulation & Training in Microsoft Defender for Office 365.
89 AirAdminActionInvestigation Events related to admin actions in Automated investigation and response (AIR).
90 MSTIC Threat intelligence events in Microsoft Defender for Office 365.
91 PhysicalBadgingSignal Events related to physical badging signals that support the Insider risk management solution.
93 AipDiscover AIP scanner events
94 AipSensitivityLabelAction AIP sensitivity label events
95 AipProtectionAction AIP protection events
96 AipFileDeleted AIP file deletion events
97 AipHeartBeat AIP heartbeat events
98 MCASAlerts Events corresponding to alerts triggered by Microsoft Cloud App Security.
99 OnPremisesFileShareScannerDlp Events related to scanning for sensitive data on file shares.
100 OnPremisesSharePointScannerDlp Events related to scanning for sensitive data in SharePoint.
101 ExchangeSearch Events related to using Outlook on the web (OWA) to search for mailbox items.
102 SharePointSearch Events related to searching an organization's SharePoint home site.
103 PrivacyInsights Privacy insight events.
105 MyAnalyticsSettings MyAnalytics events.
106 SecurityComplianceUserChange Events related to modifying or deleting a user.
107 ComplianceDLPExchangeClassification Exchange DLP classification events.
109 MipExactDataMatch Exact Data Match (EDM) classification events.
113 MS365DCustomDetection Events related to custom detection actions in Microsoft 365 Defender.
147 CoreReportingSettings Reports settings events.
148 ComplianceConnector Events related to importing non-Microsoft data using data connectors in the Microsoft Purview compliance portal.
154 OMEPortal Encrypted message portal event logs generated by external recipients.
164 ScorePlatformGenericAuditRecord Generic Audit Record used for Data Connectors.
174 DataShareOperation Events related to sharing of data ingested via SystemSync.
181 EduDataLakeDownloadOperation Events related to the export of SystemSync ingested data from the lake.
183 MicrosoftGraphDataConnectOperation Events related to extractions done by Microsoft Graph Data Connect.
186 PowerPagesSite Activities related to Power Pages site.
187 PowerPlatformAdminDlp Events related to Microsoft Power Platform DLP (Preview).
188 PlannerPlan Microsoft Planner plan events.
189 PlannerCopyPlan Microsoft Planner copy plan events.
190 PlannerTask Microsoft Planner task events.
191 PlannerRoster Microsoft Planner roster and roster membership events.
192 PlannerPlanList Microsoft Planner plan list events.
193 PlannerTaskList Microsoft Planner task list events.
194 PlannerTenantSettings Microsoft Planner tenant settings events.
195 ProjectForThewebProject Microsoft Project for the web project events.
196 ProjectForThewebTask Microsoft Project for the web task events.
197 ProjectForThewebRoadmap Microsoft Project for the web roadmap events.
198 ProjectForThewebRoadmapItem Microsoft Project for the web roadmap item events.
199 ProjectForThewebProjectSettings Microsoft Project for the web project tenant settings events.
200 ProjectForThewebRoadmapSettings Microsoft Project for the web roadmap tenant settings events.
216 Viva Goals Viva Goals events.
217 MicrosoftGraphDataConnectConsent Events for consent actions performed by tenant admins for Microsoft Graph Data Connect applications.
218 AttackSimAdmin Events related to admin activities in Attack Simulation & Training in Microsoft Defender for Office 365.
230 TeamsUpdates Teams Updates App Events.
231 PlannerRosterSensitivityLabel Microsoft Planner roster sensitivity label events.
237 DefenderExpertsforXDRAdmin Microsoft Defender Experts Administrator action events.
251 VfamCreatePolicy Viva Access Management policy create events.
252 VfamUpdatePolicy Viva Access Management policy update events.
253 VfamDeletePolicy Viva Access Management policy delete events.
261 CopilotInteraction Copilot interaction events.
275 OWAAuth Access Token for Resource issued successfully events.
280 VivaPulseResponse Viva Pulse survey response events.
281 VivaPulseOrganizer Viva Pulse survey organizer events.
282 VivaPulseAdmin Viva Pulse admin events.
283 VivaPulseReport Viva Pulse report related events.
287 ProjectForThewebAssignedToMeSettings Microsoft Project for the web assigned to me tenant settings events.
288 CloudPolicyService Events from the Cloud Policy service.
298 BackupPolicy Events related to Microsoft 365 Backup Policies.
299 RestoreTask Events related to Microsoft 365 Backup Restore Tasks.
300 RestoreItem Events related to artifacts backed up with Microsoft 365 Backup.
301 BackupItem Events related to items being restored using Microsoft 365 Backup.
332 ComplianceSettingsChange Microsoft Purview Compliance settings change events.
337 CloudUpdateProfileConfig Events from the Cloud Update's profile configuration.
338 CloudUpdateTenantConfig Events from the Cloud Update's tenant configuration.
339 CloudUpdateDeviceConfig Events from Cloud Update's managed devices configuration.

Enum: User Type - Type: Edm.Int32

User Type

Value Member name Description
0 Regular A regular user without admin permissions.
1 Reserved A reserved value, not for use.
2 Admin An administrator in your Microsoft 365 organization. **
3 DCAdmin A Microsoft datacenter administrator or datacenter system account.
4 System An audit event triggered by server-side logic. For example, Windows services or background processes.
5 Application An audit event triggered by a Microsoft Entra application.
6 ServicePrincipal A service principal.
7 CustomPolicy A customer created or managed policy.
8 SystemPolicy A Microsoft-managed or system policy.
9 PartnerTechnician A partner tenant's user working on behalf of the customer tenant (in GDAPscenarios).
10 Guest A guest or anonymous user.

Note

** For Microsoft Entra related events, the value for an administrator isn't used in an audit record. Audit records for activities performed by administrators will indicate that a regular user (for example, UserType: 0) performed the activity. The UserID property will identify the person (regular user or administrator) who performed this activity.

Enum: AuditLogScope - Type: Edm.Int32

AuditLogScope

Value Member name Description
0 Online This event was created by a hosted O365 service.
1 Onprem This event was created by an on-premises server.

Complex Type AppAccessContext

Parameters Type Mandatory? Description
AADSessionId Edm.String No The Microsoft Entra SessionId of the Entra sign-in that was performed by the app on behalf of the user.
APIId Edm.String No The Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
ClientAppId Edm.String No The Id of the Microsoft Entra app that performed the access on behalf of the user.
ClientAppName Edm.String No The name of the Microsoft Entra app that performed the access on behalf of the user.
CorrelationId Edm.String No An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
UniqueTokenId Edm.String No UniqueTokenId gets set if the Microsoft Entra token is available for the request. It's a unique, per-token identifier that is case-sensitive.
IssuedAtTime Edm.Date No "Issued At" gets set if the Microsoft Entra token is available for the request and it indicates when the authentication for this Microsoft Entra token occurred.

SharePoint Base schema

Parameter Type Mandatory? Description
Site Edm.Guid No The GUID of the site where the file or folder accessed by the user is located.
ItemType Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.ItemType" No The type of object that was accessed or modified. See the ItemType table for details on the types of objects.
EventSource Edm.String String="Microsoft.Office.Audit.Schema.SharePoint.EventSource" No Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel.
SourceName Edm.String No The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel.
UserAgent Edm.String No Information about the user's client or browser. This information is provided by the client or browser.
MachineDomainInfo Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Information about device sync operations. This information is reported only if it's present in the request.
MachineId Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Information about device sync operations. This information is reported only if it's present in the request.
ListItemUniqueId Edm.Guid No The Guid of uniquely an identifiable item of list. This information is present only if it is applicable.
ListId Edm.Guid No The Guid of the list. This information is present only if it is applicable.
ApplicationId Edm.String No The ID of the application performing the operation.
ApplicationDisplayName Edm.String No The display name of the application performing the operation.
IsWorkflow Edm.Boolean No This is set to True if SharePoint Workflows triggered the audited event.

Enum: ItemType - Type: Edm.Int32

ItemType

Value Member name Description
0 Invalid The item is none of the other item types (that are listed in this table).
1 File The item is a file.
5 Folder The item is a folder.
6 web The item is a web.
7 Site The item is a site.
8 Tenant The item is a tenant.
9 DocumentLibrary The item is a document library.
11 Page The item is a Page.

Enum: EventSource - Type: Edm.Int32

EventSource

Value Member name Description
0 SharePoint The event source is SharePoint.
1 ObjectModel The event source is ObjectModel.

Enum: SharePointAuditOperation - Type: Edm.Int32

Member name Description
AccessInvitationAccepted The recipient of an invitation to view or edit a shared file (or folder) has accessed the shared file by clicking on the link in the invitation.
AccessInvitationCreated User sends an invitation to another person (inside or outside their organization) to view or edit a shared file or folder on a SharePoint or OneDrive for Business site. The details of the event entry identifies the name of the file that was shared, the user the invitation was sent to, and the type of the sharing permission selected by the person who sent the invitation.
AccessInvitationExpired An invitation sent to an external user expires. By default, an invitation sent to a user outside of your organization expires after 7 days if the invitation isn't accepted.
AccessInvitationRevoked The site administrator or owner of a site or document in SharePoint or OneDrive for Business withdraws an invitation that was sent to a user outside your organization. An invitation can be withdrawn only before it's accepted.
AccessInvitationUpdated The user who created and sent an invitation to another person to view or edit a shared file (or folder) on a SharePoint or OneDrive for Business site resends the invitation.
AccessRequestApproved The site administrator or owner of a site or document in SharePoint or OneDrive for Business approves a user request to access the site or document.
AccessRequestCreated User requests access to a site or document in SharePoint or OneDrive for Business that they don't have permission to access.
AccessRequestRejected The site administrator or owner of a site or document in SharePoint declines a user request to access the site or document.
ActivationEnabled Users can browser-enable form templates that don't contain form code, require full trust, enable rendering on a mobile device, or use a data connection managed by a server administrator.
AdministratorAddedToTermStore Term store administrator added.
AdministratorDeletedFromTermStore Term store administrator deleted.
AllowGroupCreationSet Site administrator or owner adds a permission level to a SharePoint or OneDrive for Business site that allows a user assigned that permission to create a group for that site.
AppCatalogCreated App catalog created to make custom business apps available for your SharePoint Environment.
AuditPolicyRemoved Document LifeCycle Policy has been removed for a site collection.
AuditPolicyUpdate Document LifeCycle Policy has been updated for a site collection.
AzureStreamingEnabledSet A video portal owner has allowed video streaming from Azure.
CollaborationTypeModified The type of collaboration allowed on sites (for example, intranet, extranet, or public) has been modified.
ConnectedSiteSettingModified User has either created, modified or deleted the link between a project and a project site or the user modifies the synchronization setting on the link in Project web app.
CreateSSOApplication Target application created in Secure store service.
CustomFieldOrLookupTableCreated User created a custom field or lookup table/item in Project web app.
CustomFieldOrLookupTableDeleted User deleted a custom field or lookup table/item in Project web app.
CustomFieldOrLookupTableModified User modified a custom field or lookup table/item in Project web app.
CustomizeExemptUsers Global administrator customized the list of exempt user agents in SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file instead of an entire web page. This makes indexing InfoPath forms faster.
DefaultLanguageChangedInTermStore* Language setting changed in the terminology store.
DelegateModified User created or modified a security delegate in Project web app.
DelegateRemoved User deleted a security delegate in Project web app.
DeleteSSOApplication An SSO application was deleted.
eDiscoveryHoldApplied An In-Place Hold was placed on a content source. In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoveryHoldRemoved An In-Place Hold was removed from a content source. In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint.
eDiscoverySearchPerformed An eDiscovery search was performed using an eDiscovery site collection in SharePoint.
EngagementAccepted User accepts a resource engagement in Project web app.
EngagementModified User modifies a resource engagement in Project web app.
EngagementRejected User rejects a resource engagement in Project web app.
EnterpriseCalendarModified User copies, modifies or delete an enterprise calendar in Project web app.
EntityDeleted User deletes a timesheet in Project web app.
EntityForceCheckedIn User forces a check-in on a calendar, custom field or lookup table in Project web app.
ExemptUserAgentSet Global administrator adds a user agent to the list of exempt user agents in the SharePoint admin center.
FileAccessed User or system account accesses a file on a SharePoint or OneDrive for Business site. System accounts can also generate FileAccessed events.
FileCheckOutDiscarded User discards (or undos) a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.
FileCheckedIn User checks in a document that they checked out from a SharePoint or OneDrive for Business document library.
FileCheckedOut User checks out a document located in a SharePoint or OneDrive for Business document library. Users can check out and make changes to documents that have been shared with them.
FileCopied User copies a document from a SharePoint or OneDrive for Business site. The copied file can be saved to another folder on the site.
FileDeleted User deletes a document from a SharePoint or OneDrive for Business site.
FileDeletedFirstStageRecycleBin User deletes a file from the recycle bin on a SharePoint or OneDrive for Business site.
FileDeletedSecondStageRecycleBin User deletes a file from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FileDownloaded User downloads a document from a SharePoint or OneDrive for Business site.
FileFetched This event has been replaced by the FileAccessed event, and has been deprecated.
FileModified User or system account modifies the content or the properties of a document located on a SharePoint or OneDrive for Business site.
FileMoved User moves a document from its current location on a SharePoint or OneDrive for Business site to a new location.
FilePreviewed User previews a document on a SharePoint or OneDrive for Business site.
FileRecycled User moves a document into the SharePoint or OneDrive Recycle Bin.
FileRenamed User renames a document on a SharePoint or OneDrive for Business site.
FileRestored User restores a document from the recycle bin of a SharePoint or OneDrive for Business site.
FileSyncDownloadedFull User downloads a file to their computer from a SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
FileSyncDownloadedPartial This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
FileSyncUploadedFull User uploads a new file or changes to a file in SharePoint document library or OneDrive for Business using OneDrive sync app (OneDrive.exe).
FileSyncUploadedPartial This event has been deprecated along with the old OneDrive for Business sync app (Groove.exe).
FileUploaded User uploads a document to a folder on a SharePoint or OneDrive for Business site.
FileViewed This event has been replaced by the FileAccessed event, and has been deprecated.
FolderCopied User copies a folder from a SharePoint or OneDrive for Business site to another location in SharePoint or OneDrive for Business.
FolderCreated User creates a folder on a SharePoint or OneDrive for Business site.
FolderDeleted User deletes a folder from a SharePoint or OneDrive for Business site.
FolderDeletedFirstStageRecycleBin User deletes a folder from the recycle bin on a SharePoint or OneDrive for Business site .
FolderDeletedSecondStageRecycleBin User deletes a folder from the second-stage recycle bin on a SharePoint or OneDrive for Business site.
FolderModified User modifies a folder on a SharePoint or OneDrive for Business site. This event includes folder metadata changes, such as tags and properties.
FolderMoved User moves a folder from a SharePoint or OneDrive for Business site.
FolderRecycled User moves a folder into the SharePoint or OneDrive Recycle Bin.
FolderRenamed User renames a folder on a SharePoint or OneDrive for Business site.
FolderRestored User restores a folder from the Recycle Bin on a SharePoint or OneDrive for Business site.
GroupAdded Site administrator or owner creates a group for a SharePoint or OneDrive for Business site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.
GroupRemoved User deletes a group from a SharePoint or OneDrive for Business site.
GroupUpdated Site administrator or owner changes the settings of a group for a SharePoint or OneDrive for Business site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled.
LanguageAddedToTermStore Language added to the terminology store.
LanguageRemovedFromTermStore Language removed from the terminology store.
LegacyWorkflowEnabledSet Site administrator or owner adds the SharePoint Workflow Task content type to the site. Global administrators can also enable work flows for the entire organization in the SharePoint admin center.
LookAndFeelModified User modifies a quick launch, Gantt chart formats, or group formats.  Or the user creates, modifies, or deletes a view in Project web app.
ManagedSyncClientAllowed User successfully establishes a sync relationship with a SharePoint or OneDrive for Business site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. For more information, see Use SharePoint Online PowerShell to enable OneDrive sync for domains that are on the safe recipients list.
MaxQuotaModified The maximum quota for a site has been modified.
MaxResourceUsageModified The maximum allowable resource usage for a site has been modified.
MySitePublicEnabledSet The flag enabling users to have public MySites has been set by the SharePoint administrator.
NewsFeedEnabledSet Site administrator or owner enables RSS feeds for a SharePoint or OneDrive for Business site. Global administrators can enable RSS feeds for the entire organization in the SharePoint admin center.
ODBNextUXSettings New UI for OneDrive for Business has been enabled.
OfficeOnDemandSet Site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint admin center and requires an Office 365 subscription that includes full, installed Office applications.
PageViewed User views a page on a SharePoint site or OneDrive for Business site. This does not include viewing document library files from a SharePoint site or One Drive for Business site on a browser.
PeopleResultsScopeSet Site administrator creates or changes the result source for People Searches for a SharePoint site.
PermissionSyncSettingModified User modifies the project permission sync settings in Project web app.
PermissionTemplateModified User creates, modifies or deletes a permissions template in Project web app.
PortfolioDataAccessed User accesses portfolio content (driver library, driver prioritization, portfolio analyses) in Project web app.
PortfolioDataModified User creates, modifies, or deletes portfolio data (driver library, driver prioritization, portfolio analyses) in Project web app.
PreviewModeEnabledSet Site administrator enables document preview for a SharePoint site.
ProjectAccessed User accesses project content in Project web app.
ProjectCheckedIn User checks in a project that they checked out from a Project web app.
ProjectCheckedOut User checks out a project located in a Project web app. Users can check out and make changes to projects that they have permission to open.
ProjectCreated User creates a project in Project web app.
ProjectDeleted User deletes a project in Project web app.
ProjectForceCheckedIn User forces a check in on a project in Project web app.
ProjectModified User modifies a project in Project web app.
ProjectPublished User publishes a project in Project web app.
ProjectWorkflowRestarted User restarts a workflow in Project web app.
PWASettingsAccessed User access the Project web app settings via CSOM.
PWASettingsModified User modifies the a Project web app configuration.
QueueJobStateModified User cancels or restarts a queue job in Project web app.
QuotaWarningEnabledModified Storage quota warning modified.
RenderingEnabled Browser-enabled form templates will be rendered by InfoPath forms services.
ReportingAccessed User accessed the reporting endpoint in Project web app.
ReportingSettingModified User modifies the reporting configuration in Project web app.
ResourceAccessed User accesses an enterprise resource content in Project web app.
ResourceCheckedIn User checks in an enterprise resource that they checked out from Project web app.
ResourceCheckedOut User checks out an enterprise resource located in Project web app.
ResourceCreated User creates an enterprise resource in Project web app.
ResourceDeleted User deletes an enterprise resource in Project web app.
ResourceForceCheckedIn User forces a checkin of an enterprise resource in Project web app.
ResourceModified User modifies an enterprise resource in Project web app.
ResourcePlanCheckedInOrOut User checks in or out a resource plan in Project web app.
ResourcePlanModified User modifies a resource plan in Project web app.
ResourcePlanPublished User publishes a resource plan in Project web app.
ResourceRedacted User redacts an enterprise resource removing all personal information in Project web app.
ResourceWarningEnabledModified Resource quota warning modified.
SSOGroupCredentialsSet Group credentials set in Secure store service.
SSOUserCredentialsSet User credentials set in Secure store service.
SearchCenterUrlSet Search center URL set.
SecondaryMySiteOwnerSet A user has added a secondary owner to their MySite.
SecurityCategoryModified User creates, modifies or deletes a security category in Project web app.
SecurityGroupModified User creates, modifies or deletes a security group in Project web app.
SendToConnectionAdded Global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.
SendToConnectionRemoved Global administrator deletes a Send To connection on the Records management page in the SharePoint admin center.
SharedLinkCreated User creates a link to a shared file in SharePoint or OneDrive for Business. This link can be sent to other people to give them access to the file. A user can create two types of links: a link that allows a user to view and edit the shared file, or a link that allows the user to just view the file.
SharedLinkDisabled User disables (permanently) a link that was created to share a file.
SharingInvitationAccepted* User accepts an invitation to share a file or folder. This event is logged when a user shares a file with other users.
SharingRevoked User unshares a file or folder that was previously shared with other users. This event is logged when a user stops sharing a file with other users.
SharingSet User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization.
SiteAdminChangeRequest User requests to be added as a site collection administrator for a SharePoint site collection. Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionAdminAdded* Site collection administrator or owner adds a person as a site collection administrator for a SharePoint or OneDrive for Business site. Site collection administrators have full control permissions for the site collection and all subsites.
SiteCollectionCreated Global administrator creates a new site collection in your SharePoint organization.
SiteRenamed Site administrator or owner renames a SharePoint or OneDrive for Business site
StatusReportModified User creates, modifies or deletes a status report in Project web app.
SyncGetChanges User clicks Sync in the action tray on in SharePoint or OneDrive for Business to synchronize any changes to file in a document library to their computer.
SyntexBillingSubscriptionSettingsChanged The Syntex Billing subscription settings have changed. This event is triggered when a Syntex trial expires.
TaskStatusAccessed User accesses the status of one or more tasks in Project web app.
TaskStatusApproved User approves a status update of one or more tasks in Project web app.
TaskStatusRejected User rejects a status update of one or more tasks in Project web app.
TaskStatusSaved User saves a status update of one or more tasks in Project web app.
TaskStatusSubmitted User submits a status update of one or more tasks in Project web app.
TimesheetAccessed User accesses a timesheet in Project web app.
TimesheetApproved User approves timesheet in Project web app.
TimesheetRejected User rejects a timesheet in Project web app.
TimesheetSaved User saves a timesheet in Project web app.
TimesheetSubmitted User submits a status timesheet in Project web app.
UnmanagedSyncClientBlocked User tries to establish a sync relationship with a SharePoint or OneDrive for Business site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains (called the safe recipients list) that can access document libraries in your organization. The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list.
UpdateSSOApplication Target application updated in Secure store service.
UserAddedToGroup Site administrator or owner adds a person to a group on a SharePoint or OneDrive for Business site. Adding a person to a group grants the user the permissions that were assigned to the group.
UserRemovedFromGroup Site administrator or owner removes a person from a group on a SharePoint or OneDrive for Business site. After the person is removed, they no longer are granted the permissions that were assigned to the group.
WorkflowModified User creates, modifies, or deletes an Enterprise Project Type or Workflow phases or stages in Project web app.

SharePoint file operations

The file-related SharePoint events listed in the "File and folder activities" section in Search the audit log in the compliance center use this schema.

Parameter Type Mandatory? Description
SiteUrl Edm.String Yes The URL of the site where the file or folder accessed by the user is located.
SourceRelativeUrl Edm.String No The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.
SourceFileName Edm.String Yes The name of the file or folder accessed by the user.
SourceFileExtension Edm.String No The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.
DestinationRelativeUrl Edm.String No The URL of the destination folder where a file is copied or moved. The combination of the values for SiteURL, DestinationRelativeURL, and DestinationFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for FileCopied and FileMoved events.
DestinationFileName Edm.String No The name of the file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
DestinationFileExtension Edm.String No The file extension of a file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
UserSharedWith Edm.String No The user that a resource was shared with.
SharingType Edm.String No The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter.
SourceLabel Edm.String No The original label of the file before it's changed by a user action.
DestinationLabel Edm.String No The final label of the file after it's changed by a user action.
SensitivityLabelOwnerEmail Edm.String No The email address of the owner of the sensitivity label.
SensitivityLabelId Edm.String No The current sensitivity label ID of the file.

SharePoint list operations

The SharePoint lists and list item related events listed in the "SharePoint list activities" section in Search the audit log in the compliance center use this schema.

Parameter Type Mandatory? Description
ListTitle Edm.String No The title of the SharePoint list.
ListName Edm.String No The name of the SharePoint list.
ListUrl Edm.String No The URL of the list relative to the containing website.
ListBaseType Edm.String No Specifies the base type for a list.
ListBaseTemplateType Edm.String No The list definition type on which the list is based.
IsHiddenList Edm.Boolean No This value is set to True if the SharePoint list is hidden.
IsDocLib Edm.Boolean No This value is set to True if the SharePoint list is of the type Document Library.

SharePoint Sharing schema

The file share-related SharePoint events. They are different from file- and folder-related events in that a user is taking an action that has some effect on another user. For information about the SharePoint Sharing schema, see Use sharing auditing in the audit log.

Parameter Type Mandatory? Description
TargetUserOrGroupName Edm.String No Stores the UPN or name of the target user or group that a resource was shared with.
TargetUserOrGroupType Edm.String No Identifies whether the target user or group is a Member, Guest, Group, or Partner.
EventData XML code No Conveys follow-up information about the sharing action that has occurred, such as adding a user to a group or granting edit permissions.
SiteUrl Edm.String No The URL of the site where the file or folder accessed by the user is located.
SourceRelativeUrl Edm.String No The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, SourceRelativeURL, and SourceFileName parameters is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.
SourceFileName Edm.String No The name of the file or folder accessed by the user.
SourceFileExtension Edm.String No The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.
UniqueSharingId Edm.String No The unique sharing ID associated with the sharing operation.

SharePoint schema

The SharePoint events listed in Search the audit log in the compliance center (excluding the file and folder events) use this schema.

Parameter Type Mandatory? Description
CustomEvent Edm.String No Optional string for custom events.
EventData Edm.String No Optional payload for custom events.
ModifiedProperties Collection(ModifiedProperty) No The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object.

Project schema

Parameter Type Mandatory? Description
Entity Edm.String Yes ProjectEntity the audit was for.
Action Edm.String Yes ProjectAction that was taken.
OnBehalfOfResId Edm.Guid No The resource Id the action was taken on behalf of.

Enum: Project Action - Type: Edm.Int32

Project action

Member name Description
Accepted The user accepted an event or workflow.
Accessed The user accessed an entity.
Activated The user activated an entity, event or workflow.
Cancelled The user cancelled an event or workflow.
CheckedIn The user check in an entity.
CheckedOut The user checkout an entity.
Copied The user copied an entity.
Created The user created an entity.
Deactivated The user deactivated an entity.
Deleted The user deleted an entity.
Exported The user exported an entity.
ForceCheckedIn The user caused an entity to be force checked in.
Modified The user modified an entity.
Published The user published an entity.
Redacted The user redacted an entity.
Rejected The user rejected an entity.
Restarted The user restarted an event or workflow.
Saved The user saved an entity.
Sent The user sent an entity.
Submitted The user submitted an entity for review or workflow.

Enum: Project Entity - Type: Edm.Int32

Project entity

Member name Description
CustomField Represents an enterprise custom field.
Driver Represents a portfolio driver.
DriverPrioritization Represents a portfolio prioritization.
Engagement Represents a resource engagement.
EnterpriseCalendar Represents a enterprise resource calendar.
EnterpriseProjectType Represents an enterprise project type.
FiscalPeriod Represents a fiscal period.
GanttChartFormat Represents a gantt chart format.
GroupingFormat Represents a view grouping format.
LineClassification Represents a timesheet line classification.
LookupTable Represents a enterprise lookup table.
PermissionTemplate Represents a security permission template.
PortfolioAnalysis Represents a portfolio analysis.
Project Represents a project.
QueueJob Represents a queue job.
QuickLaunch Represents a quick launch item.
Reporting Represents the reporting endpoint.
Resource Represents an enterprise resource.
ResourcePlan Represents a resource plan associated with A project.
SecurityCategory Represents a security category.
SecurityGroup Represents a security group.
Setting Represents a Project web app setting
Statusing Represents a task status update.
StatusReport Represents a status report.
TimeReportingPeriod Represents a period of time for a timesheet
Timesheet Represents a timesheet entity.
TimesheetAuditLog Represents a timesheet audit log.
TimesheetManager Represents the manager of a timesheet.
UserDelegate Represents a user delegation for another user.
View Represents a view definition.
WorkflowPhase Represents a phase in a workflow.
WorkflowStage Represents a stage in a workflow.

Exchange Admin schema

Parameters Type Mandatory Description
ModifiedObjectResolvedName Edm.String No This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object.
Parameters Collection(Common.NameValuePair) No The name and value for all parameters that were used with the cmdlet that is identified in the Operations property.
ModifiedProperties Collection(Common.ModifiedProperty) No The property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object.
ExternalAccess Edm.Boolean Yes Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.
OriginatingServer Edm.String No The name of the server from which the cmdlet was executed.
OrganizationName Edm.String No The name of the tenant.

Exchange Mailbox schema

Parameters Type Mandatory Description
LogonType Self.LogonType No Indicates the type of user who accessed the mailbox and performed the operation that was logged.
InternalLogonType Self.LogonType No Reserved for internal use.
MailboxGuid Edm.String No The Exchange GUID of the mailbox that was accessed.
MailboxOwnerUPN Edm.String No The email address of the person who owns the mailbox that was accessed.
MailboxOwnerSid Edm.String No The SID of the mailbox owner.
MailboxOwnerMasterAccountSid Edm.String No Mailbox owner account's master account SID.
LogonUserSid Edm.String No The SID of the user who performed the operation.
LogonUserDisplayName Edm.String No The user-friendly name of the user who performed the operation.
ExternalAccess Edm.Boolean Yes This is true if the logon user's domain is different from the mailbox owner's domain.
OriginatingServer Edm.String No This is from where the operation originated.
OrganizationName Edm.String No The name of the tenant.
ClientInfoString Edm.String No Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.
ClientIPAddress Edm.String No The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
ClientMachineName Edm.String No The machine name that hosts the Outlook client.
ClientProcessName Edm.String No The email client that was used to access the mailbox.
ClientVersion Edm.String No The version of the email client .

Enum: LogonType - Type: Edm.Int32

LogonType

Value Member name Description
0 Owner The mailbox owner.
1 Admin A person with administrative privileges for someone's mailbox.
2 Delegated A person with the delegate privileges for someone's mailbox.
3 Transport A transport service in the Microsoft datacenter.
4 SystemService A service account in the Microsoft datacenter
5 BestAccess Reserved for internal use.
6 DelegatedAdmin A delegated administrator.

ExchangeMailboxAuditGroupRecord schema

Parameters Type Mandatory? Description
Folder Self.ExchangeFolder No The folder where a group of items is located.
CrossMailboxOperations Edm.Boolean No Indicates if the operation involved more than one mailbox.
DestMailboxId Edm.Guid No Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
DestMailboxOwnerUPN Edm.String No Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
DestMailboxOwnerSid Edm.String No Set only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox.
DestMailboxOwnerMasterAccountSid Edm.String No Set only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner.
DestFolder Self.ExchangeFolder No The destination folder, for operations such as Move.
Folders Collection(Self.ExchangeFolder) No Information about the source folders involved in an operation; for example, if folders are selected and then deleted.
AffectedItems Collection(Self.ExchangeItem) No Information about each item in the group.

ExchangeMailboxAuditRecord schema

Parameters Type Mandatory? Description
Item Self.ExchangeItem No Represents the item upon which the operation was performed
ModifiedProperties Collection(Edm.String) No TBD
SendAsUserSmtp Edm.String No SMTP address of the user who is being impersonated.
SendAsUserMailboxGuid Edm.Guid No The Exchange GUID of the mailbox that was accessed to send email as.
SendOnBehalfOfUserSmtp Edm.String No SMTP address of the user on whose behalf the email is sent.
SendOnBehalfOfUserMailboxGuid Edm.Guid No The Exchange GUID of the mailbox that was accessed to send mail on behalf of.

ExchangeItem complex type

Parameters Type Mandatory? Description
Id Edm.String Yes The store ID.
Subject Edm.String No The subject line of the message that was accessed.
ParentFolder Edm.ExchangeFolder No The name of the folder where the item is located.
Attachments Edm.String No A list of the names and file size of all items that are attached to the message.

ExchangeFolder complex type

Parameters Type Mandatory? Description
Id Edm.String Yes The store ID of the folder object.
Path Edm.String No The name of the mailbox folder where the message that was accessed is located.

OWA Auth schema

Parameters Type Mandatory? Description
UniqueTokenIdentifier Edm.String No A unique identifier for the resource.
ResourceURL Edm.String No The resource URL.

Azure Active Directory Base schema

Parameters Type Mandatory? Description
AzureActiveDirectoryEventType Self.AzureActiveDirectoryEventType Yes The type of Microsoft Entra event.
ExtendedProperties Collection(Common.NameValuePair) No The extended properties of the Microsoft Entra event.
ModifiedProperties Collection(Common.ModifiedProperty) No This property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.

Enum: AzureActiveDirectoryEventType - Type -Edm.Int32

AzureActiveDirectoryEventType

Member name Description
AccountLogon The account login event.
AzureApplicationAuditEvent The Azure application security event.

Azure Active Directory Account Logon schema

Parameters Type Mandatory? Description
Application Edm.String No The application that triggers the account login event, such as Office 15.
Client Edm.String No Details about the client device, device OS, and device browser that was used for the of the account login event.
LoginStatus Edm.Int32 Yes This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms.
UserDomain Edm.String Yes The Tenant Identity Information (TII).

Enum: CredentialType - Type: Edm.Int32

Value Member name Description
-1 Other Other authentication.
0 Password User credential is username and password.
1 MobilePhone User credential is mobile phone.
2 SecretQuestion User credential is secret question.
3 SecurePin User credential is secure PIN.
4 SecurePinReset User credential is secure PIN reset.
11 EasyID User credential is EasyID.
14 PasswordIndexCredentialType User credential is PasswordIndexCredentialType.
16 Device User credential is a device.
17 ForeignRealmIndex User credential is ForeignRealmIndex.

Enum: LoginType - Type: Edm.Int32

Value Member name Description
-1 Other Other i type.
1 InitialAuth Login with initial authentication
2 CookieCopy Login with cookie.
3 SilentReAuth Login with silent re-authentication.

Enum: AuthenticationMethod - Type: Edm.Int32

Value Member name Description
0 Min The authentication method is a Min
1 Password The authentication method is a password.
2 Digest The authentication method is a digest.
3 ProxyAuth The authentication method is a ProxyAuth.
4 InfoCard The authentication method is an InfoCard
5 DAToken The authentication method is a DAToken.
6 Sha1RememberMyPassword The authentication method is a Sha1RememberMyPassword.
7 LMPasswordHash The authentication method is an LMPasswordHash.
8 ADFSFederatedToken The authentication method is an ADFSFederatedToken.
9 EID The authentication method is an EID.
10 DeviceID The authentication method is a DeviceID.
11 MD5 The authentication method is MD5.
12 EncProxyPasswordHash The authentication method is a EncProxyPasswordHash.
13 LWAFederation The authentication method is a LWAFederation.
14 Sha1HashedPassword The authentication method is a Sha1HashedPassword.
15 SecurePin The authentication method is a secure Pin.
16 SecurePinReset The authentication method is a secure PIN reset.
17 SAML20PostSimpleSign The authentication method is a SAML20PostSimpleSign.
18 SAML20Post The authentication method is a SAML20Post.
19 OneTimeCode The authentication method is a one-time code.

Azure Active Directory schema

Parameters Type Mandatory? Description
Actor Collection(Self.IdentityTypeValuePair) No The user or service principal that performed the action.
ActorContextId Edm.String No The GUID of the organization that the actor belongs to.
ActorIpAddress Edm.String No The actor's IP address in IPV4 or IPV6 address format.
InterSystemsId Edm.String No The GUID that track the actions across components within the Office 365 service.
IntraSystemsId Edm.String No The GUID that's generated by Azure Active Directory to track the action.
SupportTicketId Edm.String No The customer support ticket ID for the action in "act-on-behalf-of" situations.
Target Collection(Self.IdentityTypeValuePair) No The user that the action (identified by the Operation property) was performed on.
TargetContextId Edm.String No The GUID of the organization that the targeted user belongs to.

Complex Type IdentityTypeValuePair

Parameters Type Mandatory? Description
ID Edm.String Yes The value of the identity given the type.
Type Self.IdentityType Yes The type of the identity.

Enum: IdentityType - Type: Edm.Int32

IdentityType

Member name Description
Claim The identity is a claim for authorization purpose.
Name The audit action actor or target identity display name.
Other The identity of the actor is other type, such as the ObjectId in GUID generated by the Office 365 service.
PUID The audit action actor or the target passport unique ID (PUID).
SPN The identity of a service principal if the action is performed by the Office 365 service.
UPN The user principal name.

Azure Active Directory Secure Token Service (STS) Logon schema

Parameters Type Mandatory? Description
ApplicationId Edm.String No The GUID that represents the application that is requesting the login. The display name can be looked up via the Azure Active Directory Graph API.
Client Edm.String No Client device information, provided by the browser performing the login.
DeviceProperties Collection(Common.NameValuePair) No This property includes various device details, including Id, Display name, OS, Browser, IsCompliant, IsCompliantAndManaged, SessionId, and DeviceTrustType. The DeviceTrustType property can have the following values:

0 - Microsoft Entra registered
1 - Microsoft Entra joined
2 - Hybrid Microsoft Entra joined
ErrorCode Edm.String No For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Azure Active Directory STS (AADSTS) error code. For descriptions of these error codes, see Authentication and authorization error codes. A value of 0 indicates a successful login.
LogonError Edm.String No For failed logins, this property contains a user-readable description of the reason for the failed login.

DLP schema

DLP events are available for Exchange Online, Endpoint(devices) and SharePoint Online, and OneDrive For Business. Note that DLP events in Exchange are only available for events based on unified DLP policy (e.g. configured via Security & Compliance Center). DLP events based on Exchange Transport Rules are not supported.

DLP (Data Loss Prevention) events will always have UserKey="DlpAgent" in the common schema. There are three types of DlpEvents that are stored as the value of the Operation property of the common schema:

  • DlpRuleMatch - This indicates a rule was matched. These events exist in all Exchange, Endpoint(devices) and SharePoint Online and OneDrive for Business. For Exchange it includes false positive and override information. For SharePoint Online and OneDrive for Business, false positive and overrides generate separate events.

  • DlpRuleUndo - These only exist in SharePoint Online and OneDrive for Business, and indicate a previously applied policy action has been "undone" – either because of false positive/override designation by user, or because the document is no longer subject to policy (either due to policy change or change to content in doc).

  • DlpInfo - These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation but no action was "undone."

Parameters Type Mandatory Description
SharePointMetaData Self.SharePointMetadata No Describes metadata about the document in SharePoint or OneDrive for Business that contained the sensitive information.
ExchangeMetaData Self.ExchangeMetadata No Describes metadata about the email message that contained the sensitive information.
EndpointMetaData Self.EndpointMetadata No Describes metadata about the document in endpoint that contained the sensitive information
ExceptionInfo Edm.String No Identifies reasons why a policy no longer applies and/or any information about false positive and/or override noted by the end user.
PolicyDetails Collection(Self.PolicyDetails) Yes Information about 1 or more policies that triggered the DLP event.
SensitiveInfoDetectionIsIncluded Boolean Yes Indicates whether the event contains the value of the sensitive data type and surrounding context from the source content. Accessing sensitive data requires the "Read DLP policy events including sensitive details" permission in Azure Active Directory.

SharePointMetadata complex type

Parameters Type Mandatory? Description
From Edm.String Yes The user who triggered the event. This will be either the FileOwner, LastModifier, or LastSharer.
itemCreationTime Edm.Date Yes Datetimestamp in UTC of when event logged.
SiteCollectionGuid Edm.Guid Yes The GUID of the site collection.
SiteCollectionUrl Edm.String Yes Name of the SharePoint site.
FileName Edm.String Yes Name of the path.
FileOwner Edm.String Yes The document owner.
FilePathUrl Edm.String Yes The URL of the document
DocumentLastModifier Edm.String Yes The user who last modified the document.
DocumentSharer Edm.String Yes The user who last modified sharing of the document.
UniqueId Edm.String Yes A guid that identifies the file.
LastModifiedTime Edm.DateTime Yes Timestamp in UTC for when doc was last modified.
IsViewableByExternalUsers Edm.Boolean Yes Determines if the file is accessible to any external user.

ExchangeMetadata complex type

Parameters Type Mandatory? Description
MessageID Edm.String Yes The message ID of the email that triggered the event.
From Edm.String Yes The user who sent the email.
To Collection(Edm.String) No A collection of email addresses that were on the To line of the message.
CC Collection(Edm.String) No A collection of email addresses that were on the CC line of the message.
BCC Collection(Edm.String) No A collection of email addresses that were on the BCC line of the message.
Subject Edm.String Yes Subject of the email message.
Sent Edm.DateTime Yes The time in UTC of when the email was sent.
RecipientCount Edm.Int32 Yes The total number of all recipients on the TO, CC, and BCC lines of the message.

EndpointMetadata complex type

Parameters Type Mandatory? Description
SensitiveInformation Collection(Self.SensitiveInformation) No Information about the type of sensitive information detected.
EnforcementMode Edm.String Yes Indicate whether the DLP Rule set to 1/2/3/4/5 depicting audit/warn(block with override)/warn and bypass/block/allow(audit without alerts) respectively.
FileExtension Edm.String No The file extension of the document that contained the sensitive information.
FileType Edm.String No The file type of the document that contained the sensitive information.
DeviceName Edm.String No The name of the device on which DLP rule match was detected.

PolicyDetails complex type

Parameters Type Mandatory? Description
PolicyId Edm.Guid Yes The guid of the DLP policy for this event.
PolicyName Edm.String Yes The friendly name of the DLP policy for this event.
Rules Collection(Self.Rules) Yes Information about the rules within the policy that were matched for this event.

Rules complex type

Parameters Type Mandatory? Description
RuleId Edm.Guid Yes The guid of the DLP rule for this event.
RuleName Edm.String Yes The friendly name of the DLP rule for this event.
Actions Collection(Edm.String) No A list of actions taken as a result of a DLP RuleMatch event.
OverriddenActions Collection(Edm.String) No A list of actions previously taken that were now undone as a result of a DLPRuleUndo event.
Severity Edm.String No The severity (Low, Medium and High) of the rule match.
RuleMode Edm.String Yes Indicate whether the DLP Rule was set to Enforce, Audit with Notify, or Audit only.
ConditionsMatched Self.ConditionsMatched No Details about what conditions of the rule were matched for this event.

ConditionsMatched complex type

Parameters Type Mandatory? Description
SensitiveInformation Collection(Self.SensitiveInformation) No Information about the type of sensitive information detected.
DocumentProperties Collection(NameValuePair) No Information about document properties that triggered a rule match.
OtherConditions Collection(NameValuePair) No A list of key value pairs describing any other conditions that were matched.

SensitiveInformation complex type

Parameters Type Mandatory? Description
Confidence Edm.Int Yes The aggregated confidence of all pattern matches for the Sensitive Information Type.
Count Edm.Int Yes The total number of sensitive instances detected.
Location Edm.String No
SensitiveType Edm.Guid Yes A guid that identifies the type of sensitive data detected.
SensitiveInformationDetections Self.SensitiveInformationDetections No An array of objects that contain sensitive information data with the following details – matched value and context of matched value.
SensitiveInformationDetailed
ClassificationAttributes
Collection(SensitiveInformationDetailed
ConfidenceLevelResult)
Yes Information about the count of sensitive information type detected for each of the three confidence levels (High, Medium and Low) and wether it matches the DLP rule or not.
SensitiveInformationTypeName Edm.String No The name of the sensitive information type.
UniqueCount Edm.Int32 Yes The unique count of sensitive instances detected.

SensitiveInformationDetailedClassificationAttributes complex type

Parameters Type Mandatory? Description
Confidence Edm.int32 Yes The confidence level of the pattern that was detected.
Count Edm.Int32 Yes The number of sensitive instances detected for a particular confidence level.
IsMatch Edm.Boolean Yes Indicates if the given count and confidence level of the sensitive type detected results in a DLP rule match.

SensitiveInformationDetections complex type

DLP sensitive data is only available in the activity feed API to users that have been granted "Read DLP sensitive data" permissions.

Parameters Type Mandatory? Description
DetectedValues Collection(Common.NameValuePair) Yes An array of sensitive information that was detected. Information contains key value pairs with Value = matched value (eg. Value of credit card) and Context = an excerpt from source content that contains the matched value.
ResultsTruncated Edm.Boolean Yes Indicates if the logs were truncated due to large number of results.

ExceptionInfo complex type

Parameters Type Mandatory? Description
Reason Edm.String No For a DLPRuleUndo event, this indicates why the rule no longer applies, which can be one of 3 reasons: Override, Document Change, or Policy Change
FalsePositive Edm.Boolean No Indicates whether the user designated this event as a false positive.
Justification Edm.String No If the user chose to override policy, any user-specified justification is captured here.
Rules Collection(Edm.Guid) No A collection of guids for each rule that was designated as a false positive or override, or for which an action was undone.

Security and Compliance Center schema

Parameters Type Mandatory Description
StartTime Edm.Date No The date and time at which the cmdlet was executed.
ClientRequestId Edm.String No A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
CmdletVersion Edm.String No The build version of the cmdlet when it was executed.
EffectiveOrganization Edm.String No The GUID for the organization impacted by the cmdlet. (Deprecated: This parameter will stop appearing in the future.)
UserServicePlan Edm.String No The Exchange Online Protection service plan assigned to the user that executed the cmdlet.
ClientApplication Edm.String No If the cmdlet was executed by an application, as opposed to remote PowerShell, this field contains that application's name.
Parameters Edm.String No The name and value for parameters that were used with the cmdlet that do not include Personally Identifiable Information.
NonPiiParameters Edm.String No The name and value for parameters that were used with the cmdlet that include Personally Identifiable Information. (Deprecated: This field will stop appearing in the future and its content merged with the Parameters field.)

Security and Compliance Alerts schema

Alert signals include:

The UserId and UserKey of these events are always SecurityComplianceAlerts. There are three types of alert events that are stored as the value of the Operation property of the common schema:

  • AlertTriggered - A new alert is generated due to a policy match.

  • AlertEntityGenerated - A new entity is added to an alert. This event is only applicable to alerts generated based on Alert policies in the security and compliance center. Each generated alert can be associated with one or multiple of these events. For example, an alert policy is defined to trigger an alert if any user deletes more than 100 files in 5 minutes. If two users exceed the threshold around the same time, there will be two AlertEntityGenerated events, but only one AlertTriggered event.

  • AlertUpdated - An update was made to the metadata of an alert. This event is logged when the status of an alert is changed (for example, from "Active" to "Resolved") and when someone adds a comment to the alert.

Parameters Type Mandatory Description
AlertId Edm.Guid Yes The Guid of the alert.
AlertType Self.String Yes Type of the alert. Alert types include:
  • System
  • Custom
Name Edm.String Yes Name of the alert.
PolicyId Edm.Guid No The Guid of the policy that triggered the alert.
Status Edm.String No Status of the alert. Statuses include:
  • Active

  • Investigating
  • Resolved
  • Dismissed
Severity Edm.String No Severity of the alert. Severity levels include:
  • Low
  • Medium
  • High
Category Edm.String No Category of the alert. Categories include:
  • AccessGovernance
  • DataGovernance
  • DataLossPrevention
  • InsiderRiskManagement
  • MailFlow
  • ThreatManagement
  • Other
Source Edm.String No Source of the alert. Sources include:
  • Office 365 Security & Compliance
  • Cloud App Security
Comments Edm.String No Comments left by the users who have viewed the alert. By default, it's "New alert".
Data Edm.String No The detailed data blob of the alert or alert entity.
AlertEntityId Edm.String No The identifier for the alert entity. This parameter is only applicable to AlertEntityGenerated events.
EntityType Edm.String No Type of the alert or alert entity. Entity types include:
  • User
  • Recipients
  • Sender
  • MalwareFamily
This parameter is only applicable to AlertEntityGenerated events.

Yammer schema

The Yammer events listed in Search the audit log in the Security & Compliance Center will use this schema.

Parameters Type Mandatory Description
ActorUserId Edm.String No Email of user that performed the operation.
ActorYammerUserId Edm.Int64 No ID of user that performed the operation.
DataExportType Edm.String No Returns "data" if data export includes messages, notes, files, topics, users and groups; returns "user" if data export includes users only.
FileId Edm.Int64 No ID of the file in the operation.
FileName Edm.String No Name of the file in the operation. Will appear blank if not relevant to the operation.
GroupName Edm.String No Name of the group in the operation. Will appear blank if not relevant to the operation.
IsSoftDelete Edm.Boolean No Returns "true" if the network's data retention policy is set to Soft Delete; returns "false" if the network's data retention policy is set to Hard Delete.
MessageId Edm.Int64 No ID of the message in the operation.
ModifiedProperties Collection(ModifiedProperty) No Includes the name of the property that was modified, the new value of the modified object and the previous value of the modified object.
YammerNetworkId Edm.Int64 No Network ID of the user that performed the operation.
TargetObjectId Edm.String No Entra Id of the target user in the operation.
TargetUserId Edm.String No Email of target user in the operation. Will appear blank if not relevant to the operation.
TargetYammerUserId Edm.Int64 No ID of target user in the operation.
ThreadId Edm.Int64 No ID of the Message thread in the operation.
VersionId Edm.Int64 No Version ID of the file in the operation.

Data Center Security Base schema

Parameters Type Mandatory? Description
DataCenterSecurityEventType Self.DataCenterSecurityEventType Yes The type of cmdlet event in lock box.

Enum: DataCenterSecurityEventType - Type: Edm.Int32

DataCenterSecurityEventType

Member name Description
DataCenterSecurityCmdletAuditEvent This is the enum value for cmdlet audit type event.

Data Center Security Cmdlet schema

Parameters Type Mandatory? Description
StartTime Edm.Date Yes The start time of the cmdlet execution.
EffectiveOrganization Edm.String Yes The name of the tenant that the elevation/cmdlet was targeted at.
ElevationTime Edm.Date Yes The start time of the elevation.
ElevationApprover Edm.String Yes The name of a Microsoft manager.
ElevationApprovedTime Edm.Date No The timestamp for when the elevation was approved.
ElevationRequestId Edm.Guid Yes A unique identifier for the elevation request.
ElevationRole Edm.String No The role the elevation was requested for.
ElevationDuration Edm.Int32 Yes The duration for which the elevation was active.
GenericInfo Edm.String No Used for comments and other generic information.

Microsoft Teams schema

Parameters Type Mandatory? Description
Action Edm.String No For shared channel events, the action taken by the invitee or the channel owner for a share with team invite.
AddOnGuid Edm.Guid No A unique identifier for the add-on that generated the event.
AddOnName Edm.String No The name of the add-on that generated the event.
AddOnType Self.AddOnType No The type of add-on that generated this event.
ChannelGuid Edm.Guid No A unique identifier for the channel being audited.
ChannelName Edm.String No The name of the channel being audited.
ChannelType Edm.String No The type of channel being audited (Standard/Private).
ExtraProperties Collection(Self.KeyValuePair) No A list of extra properties.
HostedContents Collection(Self.HostedContent) No A collection of chat or channel message hosted contents.
Invitee Edm.String No For shared channel events, the UPN of the invitee team owner who accepts or declines the invite for a share with team invite.
Members Collection(Self.MicrosoftTeamsMember) No A list of users within a Team.
MessageId Edm.String No An identifier for a chat or channel message.
MessageURLs Edm.String No Present for any URL sent in Teams messages.
Messages Collection(Self.Message) No A collection of chat or channel messages.
MessageSizeInBytes Edm.Int64 No The size of a chat or channel message in bytes with UTF-16 encoding.
Name Edm.String No Only present for settings events. Name of the setting that changed.
NewValue Edm.String No Only present for settings events. New value of the setting.
OldValue Edm.String No Only present for settings events. Old value of the setting.
SubscriptionId Edm.String No A unique identifier of a Microsoft Graph change notification subscription.
TabType Edm.String No Only present for tab events. The type of tab that generated the event.
TeamGuid Edm.Guid No A unique identifier for the team being audited.
TeamName Edm.String No The name of the team being audited.

MicrosoftTeamsMember complex type

Parameters Type Mandatory? Description
UPN Edm.String No The user principal name of the user.
Role Self.MemberRoleType No The role of the user within the team.
DisplayName Edm.String No The display name of the user.

Enum: MemberRoleType - Type: Edm.Int32

MemberRoleType

Value Member name Description
0 Member A user who is a member of the team.
1 Owner A user who is the owner of the team.
2 Guest A user who is not a member of the team.

KeyValuePair complex type

Parameters Type Mandatory? Description
Key Edm.String No The key of the key-value pair.
Value Edm.String No The value of the key-value pair.

Enum: AddOnType - Type: Edm.Int32

AddOnType

Value Member name Description
1 Bot A Microsoft Teams bot.
2 Connector A Microsoft Teams connector.
3 Tab A Microsoft Teams tab.

HostedContent complex type

Parameters Type Mandatory? Description
Id Edm.String Yes A unique identifier of the message hosted content.
SizeInBytes Edm.Int64 No The message hosted content size in bytes.

Message complex type

Parameters Type Mandatory? Description
AADGroupId Edm.String No A unique identifier of the group in Azure Active Directory that the message belongs to.
Id Edm.String Yes A unique identifier of the chat or channel message.
ChannelGuid Edm.String No A unique identifier of the channel the message belongs to.
ChannelName Edm.String No The name of the channel the message belongs to.
ChannelType Edm.String No The type of the channel the message belongs to.
ChatName Edm.String No The name of the chat the message belongs to.
ChatThreadId Edm.String No A unique identifier of the chat the message belongs to.
ParentMessageId Edm.String No A unique identifier of the parent chat or channel message.
SizeInBytes Edm.Int64 No The size of the message in bytes with UTF-16 encoding.
TeamGuid Edm.String No A unique identifier of the team the message belongs to.
TeamName Edm.String No The name of the team the message belongs to.
Version Edm.String No The version of the chat or channel message.

Microsoft Defender for Office 365 and Threat Investigation and Response schema

Microsoft Defender for Office 365 and Threat Investigation and Response events are available for Office 365 customers who have an Defender for Office 365 Plan 1, Defender for Office 365 Plan 2, or an E5 subscription. Each event in the Defender for Office 365 feed corresponds to the following that were determined to contain a threat:

Note

Microsoft Defender for Office 365 and Office 365 Threat Investigation and Response (formerly known as Office 365 Threat Intelligence) capabilites are now part of Defender for Office 365 Plan 2, with additional threat protection capabilities. To learn more, see Microsoft Defender for Office 365 plans and pricing and the Defender for Office 365 Service Description.

Email message events

Parameters Type Mandatory? Description
AttachmentData Collection(Self.AttachmentData) No Data about attachments in the email message that triggered the event.
DetectionType Edm.String Yes The type of detection (for example, Inline - detected at delivery time; Delayed - detected after delivery; ZAP - messages removed by Zero hour auto purge). Events with ZAP detection type will typically be preceded by a message with a Delayed detection type.
DetectionMethod Edm.String Yes The method or technology used by Defender for Office 365 for the detection.
InternetMessageId Edm.String Yes The Internet Message Id.
NetworkMessageId Edm.String Yes The Exchange Online Network Message Id.
P1Sender Edm.String Yes The return path of sender of the email message.
P2Sender Edm.String Yes The from sender of the email message.
Policy Self.Policy Yes The type of filtering policy (for example Anti-spam or Anti-phish) and related action type (such as High Confidence Spam, Spam, or Phish) relevant to the email message.
Policy Self.PolicyAction Yes The action configured in the filtering policy (for example, Move to Junk Mail folder or Quarantine) relevant to the email message.
P2Sender Edm.String Yes The From: sender of the email message.
Recipients Collection(Edm.String) Yes An array of recipients of the email message.
SenderIp Edm.String Yes The IP address that submitted the email of Office 365. The IP address is displayed in either an IPv4 or IPv6 address format.
Subject Edm.String Yes The subject line of the message.
Verdict Edm.String Yes The message verdict.
MessageTime Edm.Date Yes Date and time in Coordinated Universal Time (UTC) the email message was received or sent.
EventDeepLink Edm.String Yes Deep-link to the email event in Explorer or Real-time reports in the Office 365 Security & Compliance Center.
Delivery Action Edm.String Yes The original delivery action on the email message.
Original Delivery location Edm.String Yes The original delivery location of the email message.
Latest Delivery location Edm.String Yes The latest delivery location of the email message at the time of the event.
Directionality Edm.String Yes Identifies whether an email message was inbound, outbound, or an intra-org message.
ThreatsAndDetectionTech Edm.String Yes The threats and the corresponding detection technologies. This field exposes all the threats on an email message, including the latest addition on spam verdict.  For example, ["Phish: [Spoof DMARC]","Spam: [URL malicious reputation]"]. The different detection threat and detection technologies are described below.
AdditionalActionsAndResults Collection(Edm.String) No The additional actions that were taken on the email, such as ZAP or Manual Remediation. Also includes the corresponding results.
Connectors Edm.String No The names and GUIDs of the connectors associated with the email.
AuthDetails Collection(Self.AuthDetails) No The authentication checks that are done for the email. Also includes the values for SPF, DKIM, DMARC, and CompAuth.
SystemOverrides Collection(Self.SystemOverrides) No Overrides that are applicable to the email. These can be system or user overrides.
Phish Confidence Level Edm.String No Indicates the confidence level associated with Phish verdict. It can be Normal or High.

Note

We recommend that you use the new ThreatsAndDetectionTech field because it shows multiple verdicts and the updated detection technologies. This field also aligns with the values you would see within other experiences like Threat Explorer and Advanced Hunting.

Detection technologies

Name Description
Advanced filter Phishing signals based on machine learning.
Anti-malware engine Detection from anti-malware engines.
Campaign Messages identified as part of a campaign.
Domain reputation Analysis based on domain reputation.
File detonation File attachments found to be bad during detonated analysis.
File detonation reputation File attachment marked as bad due to previous detonation reputation.
File reputation File attachments marked bad due to bad reputation.
Fingerprint matching The message was marked as bad due to previous messages.
General filter Phishing signals based on rules.
Impersonation brand The file type of the attachment.
Impersonation domain Impersonation of domains that the customer owns or defines.
Impersonation user Impersonation of users defined by admin or learned through mailbox intelligence.
Mailbox intelligence impersonation Impersonation based on mailbox intelligence.
Mixed analysis detection Multiple filters contributed to the verdict for this message.
Spoof DMARC DMARC authentication failure for messages.
Spoof external domain Sender is trying to spoof some other domain.
Spoof intra-org Sender is trying to spoof the recipient domain.
URL detonation The message was considered bad due to a previous malicious URL detonation.
URL detonation reputation The message was considered bad due to malicious URL detonation.
URL malicious reputation The message was considered bad due a malicious URL.

AttachmentData complex type

AttachmentData

Parameters Type Mandatory? Description
FileName Edm.String Yes The file name of the attachment.
FileType Edm.String Yes The file type of the attachment.
FileVerdict Self.FileVerdict Yes The file malware verdict.
MalwareFamily Edm.String No The file malware family.
SHA256 Edm.String Yes The file SHA256 hash.

Note

Within the Malware family, you'll be able to see the exact MalwareFamily name (for example, HTML/Phish.VS!MSR) or Malicious Payload as a static string. A Malicious Payload should still be treated as malicious email when a specific name isn't identified.

SystemOverrides complex type

SystemOverrides

Parameters Type Mandatory? Description
Details Edm.String No The details about the specific override (such as ETR or Safe Sender) that was applied.
FinalOverride Edm.String No Indicates the override that impacted the delivery in the case of multiple overrides.
Result Edm.String No Indicates whether the email was set to allowed or blocked based on the override.
Source Edm.String No Indicates whether the override was user-configured or tenant-configured.

AuthDetails complex type

AuthDetails

Parameters Type Mandatory? Description
Name Edm.String No The name of the specific auth check, such as DKIM or DMARC.
Value Edm.String No The value associated with the specific auth check, such as True or False.

Enum: FileVerdict - Type: Edm.Int32

FileVerdict

Value Member name Description
0 Good No threats detected.
1 Bad Malware found in attachment.
-1 Error Scan / analysis error.
-2 Timeout Scan / analysis timeout.
-3 Pending Scan / analysis not complete.

Enum: Policy - Type: Edm.Int32

Policy type and action type

Value Member name Description
1 Anti-spam, HSPM High Confidence Spam (HSPM) action in the Anti-spam policy.
2 Anti-spam, SPM Spam (SPM) action in the Anti-spam policy.
3 Anti-spam, Bulk Bulk action in the Anti-spam policy.
4 Anti-spam, PHSH Phish (PHSH) action in the Anti-spam policy.
5 Anti-phish, DIMP Domain Impersonation (DIMP) action in the Anti-phish policy.
6 Anti-phish, UIMP User Impersonation (UIMP) action in the Anti-phish policy.
7 Anti-phish, SPOOF Spoof action in the Anti-phish policy.
8 Anti-phish, GIMP Mailbox intelligence action in the Anti-phish policy.
9 Anti-malware, AMP Malware policy action in the Anti-malware policy.
10 Safe attachment, SAP Policy action in the Safe attachments in Defender for Office 365 policy.
11 Exchange transport rule, ETR Policy action in the Exchange Transport Rule.
12 Anti-malware, ZAPM Malware policy action in the Anti-malware policy applied to Zero-hour auto purge (ZAP).
13 Anti-phish, ZAPP Phish policy action in the Anti-phish policy applied to ZAP.
14 Anti-phish, ZAPS Spam policy action in the Anti-spam policy applied to ZAP.
15 Anti-spam, High confidence phish email (HPHISH) High confidence Phish policy action in Anti-spam policy.
17 Anti-spam, Outbound spam policy (OSPM) Policy action in the outbound spam filter policy in Anti-spam.

Enum: PolicyAction - Type: Edm.Int32

Policy action

Value Member name Description
0 MoveToJMF Policy action is to move to Junk Mail folder.
1 AddXHeader Policy action is to add X-header to the email message.
2 ModifySubject Policy action is to modify subject in the email message with information specified by the filtering policy.
3 Redirect Policy action is to redirect email message to email address specificed by the filtering policy.
4 Delete Policy action is to delete (drop) the email message.
5 Quarantine Policy action is to quarantine the email message.
6 NoAction Policy is configured to take no action on the email message.
7 BccMessage Policy action is to Bcc the email message to email address specificed by the filtering policy.
8 ReplaceAttachment Policy action is to replace the attachment in the email message as specified by the filtering policy.

URL time-of-click events

Parameters Type Mandatory? Description
UserId Edm.String Yes Identifier (for example, email address) for the user who clicked on the URL.
AppName Edm.String Yes Office 365 service from which the URL was clicked (for example, Mail).
URLClickAction Self.URLClickAction Yes Click action for the URL based on the organization's policies for Safe Links in Defender for Office 365.
SourceId Edm.String Yes Identifier for the Office 365 service from which the URL was clicked (for example, for mail this is the Exchange Online Network Message Id).
TimeOfClick Edm.Date Yes The date and time in Coordinated Universal Time (UTC) when the user clicked the URL.
URL Edm.String Yes URL clicked by the user.
UserIp Edm.String Yes The IP address for the user who clicked the URL. The IP address is displayed in either an IPv4 or IPv6 address format.

Enum: URLClickAction - Type: Edm.Int32

URLClickAction

Value Member name Description
2 Blockpage User blocked from navigating to the URL by Safe Links in Defender for Office 365.
3 PendingDetonationPage User presented with the detonation pending page by Safe Links in Defender for Office 365.
4 BlockPageOverride User blocked from navigating to the URL by Safe Links in Defender for Office 365; however user overrode block to navigate to the URL.
5 PendingDetonationPageOverride User presented with the detonation page by Safe Links in Defender for Office 365; however user overrode to navigate to the URL.

File events

Parameters Type Mandatory? Description
FileData Self.FileData Yes Data about the file that triggered the event.
SourceWorkload Self.SourceWorkload Yes Workload or service where the file was found (for example, SharePoint Online, OneDrive for Business, or Microsoft Teams)
DetectionMethod Edm.String Yes The method or technology used by Microsoft Defender for Office 365 for the detection.
LastModifiedDate Edm.Date Yes The date and time in Coordinated Universal Time (UTC) when the file was created or last modified.
LastModifiedBy Edm.String Yes Identifier (for example, an email address) for the user who created or last modified the file.
EventDeepLink Edm.String Yes Deep-link to the file event in Explorer or Real-time reports in the Security & Compliance Center.

FileData complex type

FileData

Parameters Type Mandatory? Description
DocumentId Edm.String Yes Unique identifier for the file in SharePoint, OneDrive, or Microsoft Teams.
FileName Edm.String Yes Name of the file that triggered the event.
FilePath Edm.String Yes Path (location) for the file in SharePoint, OneDrive, or Microsoft Teams.
FileVerdict Self.FileVerdict Yes The file malware verdict.
MalwareFamily Edm.String No The file malware family.
SHA256 Edm.String Yes The file SHA256 hash.
FileSize Edm.String Yes Size for the file in bytes.

Enum: SourceWorkload - Type: Edm.Int32

SourceWorkload

Value Member name
0 SharePoint Online
1 OneDrive for Business
2 Microsoft Teams

Submission schema

Submission events are available for every Office 365 customers since it comes with security. This includes organizations that use Exchange Online Protection and Microsoft Defender for Office 365. Each event in the submission feed corresponds to false positives or false negatives that were submitted as an:

  • Admin submission. Messages, files, or URLs submitted to Microsoft for analysis.
  • User-reported item. Messages reported by end users to the admin or Microsoft for review.

Submission events

Parameters Type Mandatory? Description
AdminSubmissionRegistered Edm.String No Admin submission is registered and is pending for processing.
AdminSubmissionDeliveryCheck Edm.String No Admin submission system checked the email's policy.
AdminSubmissionSubmitting Edm.String No Admin submission system is submitting the email.
AdminSubmissionSubmitted Edm.String No Admin submission system submitted the email.
AdminSubmissionTriage Edm.String No Admin submission is triaged by grader.
AdminSubmissionTimeout Edm.String No Admin submission is timef out with no result.
UserSubmission Edm.String No Submission was first reported by an end user.
UserSubmissionTriage Edm.String No User submission is triaged by grader.
CustomSubmission Edm.String No Message reported by a user was sent to the organization's custom mailbox as set in the user reported messages settings.
AttackSimUserSubmission Edm.String No The user-reported message was actually a phish simulation training message.
AdminSubmissionTablAllow Edm.String No An allow was created at time of submission to immediately take action on similar messages while it is being rescanned.
SubmissionNotification Edm.String No Admin feedback is sent to end user.

Automated investigation and response events in Office 365

Office 365 automated investigation and response (AIR) events are available for Office 365 customers who have a subscription that includes Microsoft Defender for Office 365 Plan 2 or Office 365 E5. Investigation events are logged based on a change in investigation status. For example, when an administrator takes an action that changes the status of an investigation from Pending Actions to Completed, an event is logged.

Currently, only automated investigation are logged. (Events for manually generated investigations are coming soon.) The following status values are logged:

  • Investigation Started
  • No threats found
  • Terminated by System
  • Pending Action
  • Threats Found
  • Remediated
  • Failed
  • Terminated by throttling
  • Terminated By User
  • Running

Main investigation schema

Name Type Description
InvestigationId Edm.String Investigation ID/GUID.
InvestigationName Edm.String Name of the investigation.
InvestigationType Edm.String Type of the investigation. Can take one of the following values:
- User-Reported Messages
- Zapped Malware
- Zapped Phish
- Url Verdict Change

(Manual investigations are currently not available and are coming soon.)

LastUpdateTimeUtc Edm.Date UTC time of the last update for an investigation.
StartTimeUtc Edm.Date Start time for an investigation.
Status Edm.String State of investigation, Running, Pending Actions, etc.
DeeplinkURL Edm.String Deep link URL to an investigation in Office 365 Security & Compliance Center.
Actions Collection (Edm.String) Collection of actions recommended by an investigation.
Data Edm.String Data string which contains more details about investigation entities, and information about alerts related to the investigation. Entities are available in a separate node within the data blob.

Actions

Field Type Description
ID Edm.String Action ID
ActionType Edm.String The type of the action, such as email remediation.
ActionStatus Edm.String Values include:
- Pending
- Running
- Waiting on resource
- Completed
- Failed
ApprovedBy Edm.String Null if auto approved; otherwise, the username/id (this is coming soon)
TimestampUtc Edm.DateTime The timestamp of the action status change.
ActionId Edm.String Unique identifier for action.
InvestigationId Edm.String Unique identifier for investigation.
RelatedAlertIds Collection(Edm.String) Alerts related to an investigation.
StartTimeUtc Edm.DateTime Timestamp of action creation.
EndTimeUtc Edm.DateTime Action final status update timestamp.
Resource Identifiers Edm.String Consists of the Azure Active Directory tenant ID.
Entities Collection(Edm.String) List of one or more affected entities by action.
Related Alert IDs Edm.String Alert related to an investigation.

Entities

MailMessage (email)

Field Type Description
Type Edm.String "mail-message"
Files Collection (Self.File) Details about the files of this message's attachments.
Recipient Edm.String The recipient of this mail message.
Urls Collection(Self.URL) The Urls contained in this mail message.
Sender Edm.String The sender's email address.
SenderIP Edm.String The sender's IP address.
ReceivedDate Edm.DateTime The received date of this message.
NetworkMessageId Edm.Guid The network message id of this mail message.
InternetMessageId Edm.String The internet message id of this mail message.
Subject Edm.String The subject of this mail message.

IP

Field Type Description
Type Edm.String "ip"
Address Edm.String The IP address as a string, such as 127.0.0.1.

URL

Field Type Description
Type Edm.String "url"
Url Edm.String The full URL to which an entity points.

Mailbox (also equivalent to the user)

Field Type Description
Type Edm.String "mailbox"
MailboxPrimaryAddress Edm.String The mailbox's primary address.
DisplayName Edm.String The mailbox's display name.
Upn Edm.String The mailbox's UPN.

File

Field Type Description
Type Edm.String "file"
Name Edm.String The file name without path.
FileHashes Collection (Edm.String) The file hashes associated with the file.

FileHash

Field Type Description
Type Edm.String "filehash"
Algorithm Edm.String The hash algorithm type, which can be one of these values:
- Unknown
- MD5
- SHA1
- SHA256
- SHA256AC
Value Edm.String The hash value.

MailCluster

Field Type Description
Type Edm.String "MailCluster"
Determines the type of entity being discussed.
NetworkMessageIds Collection (Edm.String) List of the mail message IDs that are part of the mail cluster.
CountByDeliveryStatus Collections (Edm.String) Count of mail messages by DeliveryStatus string representation.
CountByThreatType Collections (Edm.String) Count of mail messages by ThreatType string representation.
Threats Collections (Edm.String) The threats of mail messages that are part of the mail cluster. Threats include values like Phish and Malware.
Query Edm.String The query that was used to identify the messages of the mail cluster.
QueryTime Edm.DateTime The query time.
MailCount Edm.int The number of mail messages that are part of the mail cluster.
Source String The source of the mail cluster; the value of the cluster source.

Hygiene events schema

Hygiene events are related to outbound spam protection. These events are related to users who are restricted from sending email. For more information, see:

Parameters Type Mandatory? Description
Audit Edm.String No System information related to the hygiene event.
Event Edm.String No The type of hygiene event. The values for this parameter are Listed or Delisted.
EventId Edm.Int64 No The ID of the hygiene event type.
EventValue Edm.String No The user who was impacted.
Reason Edm.String No Details about the hygiene event.

Power BI schema

The Power BI events listed in Search the audit log in the Office 365 Protection Center will use this schema.

Parameters Type Mandatory? Description
AppName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the app where the event occurred.
DashboardName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the dashboard where the event occurred.
DataClassification Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The data classification, if any, for the dashboard where the event occurred.
DatasetName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the dataset where the event occurred.
MembershipInformation Collection(MembershipInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Membership information about the group.
OrgAppPermission Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Permissions list for an organizational app (entire organization, specific users, or specific groups).
ReportName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the report where the event occurred.
SharingInformation Collection(SharingInformationType) Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Information about the person to whom a sharing invitation is sent.
SwitchState Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Information about the state of various tenant level switches.
WorkSpaceName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the workspace where the event occurred.

MembershipInformationType complex type

Parameters Type Mandatory? Description
MemberEmail Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The email address of the group.
Status Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No Not currently populated.

SharingInformationType complex type

Parameters Type Mandatory? Description
RecipientEmail Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The email address of the recipient of a sharing invitation.
RecipientName Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The name of the recipient of a sharing invitation.
ResharePermission Edm.String Term="Microsoft.Office.Audit.Schema.PIIFlag" Bool="true" No The permission being granted to the recipient.

Dynamics 365 schema

The audit records for events related to model-driven apps in Dynamics 365 events use both a base and an entity operation schema. For more information, see Enable and use Activity Logging.

Dynamics 365 base schema

Parameters Type Mandatory? Description
CrmOrganizationUniqueName Edm.String Yes The unique name of the organization.
InstanceUrl Edm.String Yes The URL to the instance.
ItemUrl Edm.String No The URL to the record emitting the log.
ItemType Edm.String No The name of the entity.
UserAgent Edm.String No The unique identifier of the user GUID in the organization.
Fields Collection(Common.NameValuePair) No A JSON object that contains the property key-value pairs that were created or updated.

Dynamics 365 entity operation schema

Entity events from model-driven apps in Dynamics 365 use this schema to build on the Dynamics 365 base schema. This schema includes information about the entity operation that triggered the audited event.

Parameters Type Mandatory? Description
EntityId Edm.Guid No The unique identifier of the entity.
EntityName Edm.String Yes The name of the entity in the organization. Example of entities include contact or authentication.
Message Edm.String Yes This parameter contains the operation that was performed in related to the entity. For example, if a new contact was created, the value of the Message property is Create and the corresponding value of the EntityName property is contact.
Query Edm.String No The parameters of the filter query that was used while executing the FetchXML operation.
PrimaryFieldValue Edm.String No Indicates the value for the attribute that is the primary field for the entity.

Workplace Analytics schema

The WorkPlace Analytics events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema.

Parameters Type Mandatory? Description
WpaUserRole Edm.String No The Workplace Analytics role of the user who performed the action.
ModifiedProperties Collection (Common.ModifiedProperty) No This property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.
OperationDetails Collection (Common.NameValuePair) No A list of extended properties for the setting that was changed. Each property will have a Name and Value.

Quarantine schema

The quarantine events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema. For more information about quarantine, see Quarantine email messages in Office 365.

Parameters Type Mandatory? Description
RequestType Self.RequestType No The type of quarantine request performed by a user.
RequestSource Self.RequestSource No The source of a quantine request can come from the Security & Compliance Center (SCC), a cmdlet, or a URLlink.
NetworkMessageId Edm.String No The network message id of quarantined email message.
ReleaseTo Edm.String No The recipient of the email message.

Enum: RequestType - Type: Edm.Int32

Value Member name Description
0 Preview This is a request from a user to preview an email message that is deemed to be harmful.
1 Delete This is a request from a user to delete an email message that is deemed to be harmful.
2 Release This is a request from a user to release an email message that is deemed to be harmful.
3 Export This is a request from a user to export an email message that is deemed to be harmful.
4 ViewHeader This is a request from a user to view the header an email message that is deemed to be harmful.
5 Release request This is a release request from a user to release an email message that is deemed to be harmful.

Enum: RequestSource - Type: Edm.Int32

Value Member name Description
0 SCC The Security & Compliance center (SCC) is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
1 Cmdlet A cmdlet is the source where the request from a user to preview, delete, release, export, or view the header of a potentially harmful email message can originate from.
2 URLlink This is a source where the request from a user to preview, delete, release, export, or view the header of potentially harmful email message can originate from.

Microsoft Forms schema

The Microsoft Forms events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema.

Parameters Type Mandatory? Description
FormsUserTypes Collection(Self.FormsUserTypes) Yes The role of the user who performed the action. The values for this parameter are Admin, Owner, Responder, or Coauthor.
SourceApp Edm.String Yes Indicates if the action is from Forms website or from another App.
FormName Edm.String No The name of the current form.
FormId Edm.String No The Id of the target form.
FormTypes Collection(Self.FormTypes) No Indicates whether this is a Form, Quiz, or Survey.
ActivityParameters Edm.String No JSON string containing activity parameters. See Search the audit log in the Office 365 Security & Compliance Center for more details.

Enum: FormsUserTypes - Type: Edm.Int32

FormsUserTypes

Value Form User Type Description
0 Admin An administrator who has access to the form.
1 Owner A user who is the owner of the form.
2 Responder A user who has submitted a response to a form.
3 Coauthor A user who has used a collaboration link provided by the form owner to login and edit a form.

Enum: FormTypes - Type: Edm.Int32

FormTypes

Value Form Types Description
0 Form Forms that are created with the New Form option.
1 Quiz Quizzes that are created with the New Quiz option. A quiz is a special type of form that includes additional features such as point values, auto and manual grading, and commenting.
2 Survey Surveys that are created with the New Survey option. A survey is a special type of form that includes additional features such as CMS integration and support for Flow rules.

MIP label schema

Events in the Microsoft Purview Information Protection label schema are triggered when Microsoft 365 detects an email message processed by agents in the Transport pipeline that has a sensitivity label applied to it. The sensitivity label may have been applied manually or automatically, and it may have been applied within or outside of the Transport pipeline. Sensitivity labels can be automatically applied to email messages by auto-apply label policies.

The intent of this audit schema is to represent the sum of all email activity that involves sensitivity labels. In other words, there should be an recorded audit activity for each email message that is sent to or from users in the organization that has a sensitivity label applied to it, regardless of when or how the sensitivity label was applied. For more information about sensitivity labels, see:

Parameters Type Mandatory? Description
Sender Edm.String No The email address in the From field of the email message.
Receivers Collection(Edm.String) No All email addresses in the To, CC, and Bcc fields of the email message.
ItemName Edm.String No The string in the Subject field of the email message.
LabelId Edm.Guid No The GUID of the sensitiviy label applied to the email message.
LabelName Edm.String No The name of the sensitivity label applied to the email message.
LabelAction Edm.String No The actions specified by the sensitivity label that were applied to the email message before the message entered the mail transport pipeline.
LabelAppliedDateTime Edm.Date No The date the sensitivity label was applied to the email message.
ApplicationMode Edm.String No Specifies how the sensitivity label was applied to the email message. The Privileged value indicates the label was manually applied by a user. The Standard value indicates the label was auto-applied by a client-side or service-side labeling process.

Encrypted message portal events schema

Events for enrypted message portal schema are triggered when when Purview Message Encryption detects an encrypted email message is accessed through the portal by an external recipient. The mail may have been encrypted manually with a sensitivity label or an RMS template, or automatically by a transport rule, a Data Loss Prevention policy, or an auto-labeling policy.

The intent of this audit schema is to represent the sum of all portal activity that involves accessing the encrypted mail by external recipients. In other words, there should be a recorded audit activity for a recipient that attempts to sign in to the portal and any activities related to accessing the encrypted mail. This includes mail sent to or from users in the organization when the mail has encryption applied to it, regardless of when or how the encryption was applied. For more information, see, Learn about encrypted message portal logs.

Parameters Type Mandatory? Description
MessageId Edm.String No The Id of the message.
Recipient Edm.String No Recipient email address.
Sender Edm.String No Email address of sender.
AuthenticationMethod Self.AuthenticationMethod No Authentication method when accessing the message, i.e. OTP, Yahoo, Gmail, Microsoft.
AuthenticationStatus Self.AuthenticationStatus No 0 – Success, 1- Failure.
OperationStatus Self.OperationStatus No 0 – Success, 1- Failure.
AttachmentName Edm.String No Name of the attachment.
OperationProperties Collection(Common.NameValuePair) No Extra properties, i.e. number of OTP passcode sent, email subject, etc.

Communication compliance Exchange schema

The communication compliance events listed in the Office 365 audit log use this schema. This includes audit records for the SupervisoryReviewOLAudit operation that's generated when email message content contains offensive language identified by anti-spam models with a match accuracy of >= 99.5%.

Parameters Type Mandatory? Description
ExchangeDetails ExchangeDetails No Properties of the email message that triggered the SupervisoryReviewOLAudit event.

Enum: ExchangeDetails - Type: ExchangeDetails

ExchangeDetails

Member name Type Description
NetworkMessageId Edm.Guid The network message ID of the email message.
InternetMessageId Edm.String The internet message ID of the email message.
AttachmentData Collection(AttachmentDetails) Information about files attached to the email message.
Recipients Collection(Edm.String) The email addresses in the To, Cc, and Bcc fields of the email message.
Subject Edm.String The text in the Subject field of the email message.
MessageTime Edm.Date The date and time the email message was sent.
From Edm.String The email address in the From field of the email message.
Directionality Edm.String The origination status of the email message.

Enum: AttachmentDetails - Type: Edm.Int32

AttachmentDetails

Member name Type Description
FileName Edm.String The name of the file attached to the email message.
FileType Edm.String The file extension of the file attached to the email message.
SHA256 Edm.String The SHA-256 hash of the file attached to the email message.

Reports schema

The Reports events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema.

Parameters Type Mandatory? Description
ModifiedProperties Collection (Common.ModifiedProperty) No This property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.

Compliance connector schema

Events in the compliance connector schema are triggered when items that are imported by a data connector are skipped or failed to be import to user mailboxes. For more information about data connectors, see Learn about connectors for third-party data.

Parameters Type Mandatory? Description
JobId Edm.String No This is a unique identifier of the data connector.
TaskId Edm.String No Unique identifier of the periodic data connector instance. Data connectors import data in periodic intervals.
JobType Edm.String No The name of the data connector.
ItemId Edm.String No Unique identifier of the item (for example, an email message) being imported.
ItemSize Edm.Int64 No The size of the item being imported.
SourceUserId Edm.String No The unique identifier of the user from the third-party data source. For example, for a Slack data connector, this property specifies the user Id in Slack workspace.
FailureType Self.FailureType No Indicates the type of data import failure. For example, the value incorrectusermapping indicates the item wasn't imported because no user mapping between the third-party data source and Microsoft 365 could be found.
ResultMessage Edm.String No Indicates the type of failure, such as Duplicte message.
IsRetry Edm.Boolean No Indicates whether the data connector retried to import the item.
Attachments Collection.Attachment No A list of attachments received from the third-party data source.

Enum: FailureType - Type: Edm.Int32

Value Member name
0 Default
1 MailboxWrite

Attachment complex type

Parameters Type Mandatory? Description
FileName Edm.String No The name of the attachment.
Details Edm.String No Other details about the attachment.

SystemSync schema

Events in the SystemSync schema are triggered when the SystemSync ingested data is either exported via Data Lake or shared via other services.

DataLakeExportOperationAuditRecord

Parameters Type Mandatory? Description
DataStoreType DataStoreType Yes Indicates which data store the data was downloaded from. Refer DataStoreType for all possible values.
UserAction DataLakeUserAction Yes Indicates what action user had performed on the data store. Refer DataLakeUserAction for all possible values.
ExportTriggeredAt Edm.DateTimeOffset Yes Indicates when the data export was triggered.
NameOfDownloadedZipFile Edm.String No The name of the compressed file the admin had downloaded from the Data Lake.

DataShareOperationAuditRecord

Parameters Type Mandatory? Description
Invitation DataShareInvitationType No Details of the invite sent to the recipient of the Data Share.

DataShareInvitationType complex type

Parameters Type Mandatory? Description
ShareId Edm.Guid Yes System assigned identifier for the Data Share.
Invitees Collection(Edm.Guid) Yes List of admin users the invite was sent to.
InviteeTenantId Edm.Guid Yes The target tenant whom the invite is intended to.
ShareName Edm.String Yes System assigned name for the Data Share.
SyncFrequency Self.SyncFrequency Yes Frequency at which the data is synced to the destination storage account once share is established. See SyncFrequency for possible values.
SyncStartTime Edm.DateTimeOffset Yes Date and time of first sync.

Enum: SyncFrequency - Type: Edm.Int32

Value Member name Description
0 Hourly Indicates the data will be synced every hour.
1 Daily Indicates the data will be synced once a day.

Enum: DataStoreType - Type: Edm.Int32

Value Member name Description
0 CanonicalStore Indicates data will be downloaded from Canonical store.
1 StagingStore Indicates data will be downloaded from Staging store.

Enum: DataLakeUserAction - Type: Edm.Int32

Value Member name Description
0 TriggerExport The admin user triggered export from Data Lake.
1 DownloadZipFile The admin user downloaded the exported data.

MicrosoftGraphDataConnectOperation complex type

Parameters Type Mandatory? Description
ApplicationId Edm.Guid Yes The application identification.
ApplicationName Edm.String Yes The application name.
PipelineName Edm.String Yes The pipeline name.
PipelineRunId Edm.Guid No The identification of this pipeline run.
CopyActivityRunId Edm.Guid No The identification of the ADF copy activity.
RunStartTime Edm.Date Yes Date and time of the extraction.
RunEndTime Edm.Date Yes Date and time of the extraction.
DatasetName Edm.String Yes The dataset name being extracted.
DatasetColumns Edm.String Yes The set of selected columns being extracted.
ScopeList Edm.String Yes The scope of the extraction.
ScopeCountRequested Edm.Int64 No The requested scope count for this extraction.
ScopeCountDelivered Edm.Int64 No The delivered scope count for this extraction.
UndeliveredScope Edm.String No The undelivered scope of the extraction.
RowCount Edm.Int64 No The number of rows extracted.
Status Edm.String Yes The extraction status.
Reason Edm.String No The error message in case of failure.

AipDiscover

The following table contains information related to Azure Information Protection (AIP) scanner events.

Event Description
ApplicationId The ID of the application performing the operation.
ApplicationName Friendly name of the application performing the operation. Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ClientIP The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
CreationTime The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the audit log record was generated.
DataState Describes the state of the data.
DeviceName The device on which the activity happened.
Id GUID of the current record.
IsProtected Whether protected: True/False
Location The location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare and cloud.
ObjectId File full path (URL). For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user.
Operation Describes type of access.
OrganizationId The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
Platform Device platform (Win, OSX, Android, iOS) 
ProcessName The relevant process name, eg. Outlook, msip.app, WinWord.
ProductVersion Version of the AIP client.
ProtectionOwner Rights Management owner in UPN format.
ProtectionType Protection type can be template or ad-hoc.
RecordType The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records. For a complete updated list and full description of the Log RecordType, see the Microsoft 365 Compliance audit log activities via O365 Management API blog post. Here we only list the relevant MIP Record types.
Scope Was this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
SensitiveInfoTypeData Stores the datatype of the Sensitive Info type data.
SensitivityLabelId The current MIP sensitivity label GUID. Use cmdlt Get-Label to get the full values of the GUID.
TemplateId TemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserId The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
UserKey An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
UserType The type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version Version ID of the file in the operation.
Workload Stores the Office 365 service where the activity occurred.

AipSensitivityLabelAction

The following table contains information related to AIP sensitivity label events.

Event Description
ApplicationId Corresponds to the Microsoft Entra Application ID.
ApplicationName Application friendly name of the application performing the operation.
CreationDate The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
DataState Specifies the state of the data.
DeviceName The name of the user's device.
Identity The identity of the user or service to be authenticated.
IsProtected Whether protected: True/False
IsProtectedBefore Whether the content was protected before change: True/False
IsValid Boolean
Location The location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare, and cloud.
ObjectState Specifies the state of the object.
Operation The operation type for the audit log.The name of the user or admin activity. For a description of the most common operations/activities:
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
Identity The identity of the user or service to be authenticated.
PSComputerName Computer Name
PSShowComputerName The value is False for documented edited in Office 365.
Platform Device platform (Win, OSX, Android, iOS). 
ProcessName Process that hosts MIP SDK.
ProductVersion Version of the Azure Information Protection client that performed the audit action.
ProtectionType Protection type can be template or ad-hoc.
RecordType Shows the value of Label Action. The operation type indicated by the record. For more information, see the full list of record types.
RunspaceId The Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
SensitiveInfoTypeData Stores the datatype of the Sensitive Info Type Data
TemplateId TemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserId The User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.

AipProtectionAction

Event Description
PSComputerName Computer name
RunspaceId The Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
PSShowComputerName The value is false for a documented edited in Office 365.
RecordType Shows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types. For more information, see the full list of record types.
CreationTime The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the audit log record was generated.
UserId The User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged. For example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
Operation The operation type for the audit log. The name of the user or admin activity. For a description of the most common operations/activities.
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
Identity The identity of the user or service to be authenticated.
ObjectState State of the Object after the current event.
ApplicationId The application where the activity happened and displayed in GUID.
ApplicationName Application friendly name of the application performing the operation.Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ProcessName Process name of the Office application.
Platform The platform on which the activity happened. For example, Windows.
DeviceName Device the event was recorded on.
ProductVersion Version of the Azure Information Protection client that performed the audit action.
UserId The UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
ClientIP The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
Id GUID of the current record.
RecordType Shows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types.
CreationTime The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the audit log record was generated.
Operation The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center.
OrganizationId The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserType The type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKey An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
Workload Stores the Office 365 service where the activity occurred.
Version Version of the Azure Information Protection client that performed the audit action
Scope Specifies scope.

AipFileDeleted

Event Description
PSComputerName Computer name
RunspaceId The Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
PSShowComputerName The value is false for a documented edited in Office 365.
RecordType Shows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types. For more information, see the full list of record types.
CreationTime The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the audit log record was generated.
UserId The User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged. For example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
Operation The operation type for the audit log. The name of the user or admin activity. For a description of the most common operations/activities.
SensitivityLabelApplied
SensitivityLabelUpdated
SensitivityLabelRemoved
SensitivityLabelPolicyMatched
SensitivityLabeledFileOpened.
Identity The identity of the user or service to be authenticated.
ObjectState State of the Object after the current event.
ApplicationId The application where the activity happened and displayed in GUID.
ApplicationName Application friendly name of the application performing the operation.Outlook (for email), OWA (for email), Word (for file), Excel (for file), PowerPoint (for file).
ProcessName Process name of the Office application.
Platform The platform on which the activity happened. For example, Windows.
DeviceName Device the event was recorded on.
ProductVersion Version of the Azure Information Protection client that performed the audit action.
UserId The UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name.

Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
ClientIP The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null. The IP address is displayed in either an IPv4 or IPv6 address format.
Id GUID of the current record.
RecordType Shows the value of Label Action. The operation type indicated by the record. Here we are only listing the relevant MIP Record types.
CreationTime The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the audit log record was generated.
Operation The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center.
OrganizationId The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
UserType The type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKey An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
Workload Stores the Office 365 service where the activity occurred.
Version Version of the Azure Information Protection client that performed the audit action
Scope Specifies scope.

AipHeartBeat

The following table contain information related to AIP heartbeat events.

Event Description
ApplicationId Corresponds to the Microsoft Entra Application ID.
ApplicationName Application friendly name of the application performing the operation.
CreationDate The date and time in Coordinated Universal Time (UTC) in ISO8601 format when the user performed the activity.
DataState Specifies the state of the data.
DeviceName The name of the user's device.
Identity The identity of the user or service to be authenticated.
IsProtected Whether protected: True/False
IsProtectedBefore Whether the content was protected before change: True/False
IsValid Boolean
Location The location of the document with respect to the user's device. The possible values are unknown, localMedia, removableMedia, fileshare, and cloud.
ObjectState Specifies the state of the object.
Operation The operation type for the audit log. The name of the user or admin activity.
PSComputerName Computer Name
PSShowComputerName The value is False for documented edited in Office 365.
Platform Device platform (Win, OSX, Android, iOS). 
ProcessName Process that hosts MIP SDK.
ProductVersion Version of the Azure Information Protection client that performed the audit action.
ProtectionType Protection type can be template or ad-hoc.
RecordType Shows the value of Label Action. The operation type indicated by the record. For more information, see the full list of record types.
RunspaceId The Runspace is a specific instance of PowerShell which contains modifiable collections of commands, providers, variables, functions, and language elements that are available to the command line user.
SensitiveInfoTypeData Stores the datatype of the Sensitive Info Type Data.
TemplateId TemplateID parameter to get a specific template. The Get-AipServiceTemplate cmdlet gets all existing or selected protection templates from Azure Information Protection.
UserId The UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see the app@sharepoint user in audit records.
UserType The type of user that performed the operation. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = Systeml
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
UserKey An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.

MicrosoftGraphDataConnectConsent complex type

Parameters Type Mandatory? Description
ApplicationId Edm.Guid Yes The application identification.
ApplicationVersion Edm.String Yes The application version.
AppRegistrationTenantId Edm.Guid Yes The application registration tenant id.
Approver Edm.String Yes The approver's user principal name.
ApprovalUpdatedDateInUTC Edm.Date Yes The update date time in UTC.
ApprovalExpiryDateInUTC Edm.Date Yes The expiry date time in UTC.
ApprovalValidDays Edm.Int32 Yes The number of days from update for which the approval will be valid.
DestinationSinks Edm.String Yes The destination sinks.
DestinationTenantId Edm.Guid Yes The destination tenant id.
Reason Edm.String No The reason provided by the admin who performed the operation.
State Edm.String Yes The consent state.
Datasets CollectionSelf.MGDCDataset Yes Details on the datasets which were consented to as part of this operation.

Complex Type MGDCDataset

Parameters Type Mandatory? Description
DatasetName Edm.String Yes The name of the dataset in the consent operation.
DatasetColumns Edm.String Yes The list of columns for the dataset in the consent operation.
DenyGroups Edm.String No The deny groups list for the dataset in the consent operation.
Scope Edm.String Yes The scope types for the dataset in the consent operation. Possible values are All, List and FilterUri.
ScopeFiltersUris Edm.String No The scope filter URI for the dataset in the consent operation.
ScopeList Edm.String No The scope group list for the dataset in the consent operation.
PrivacyPolicyType Edm.String Yes The privacy policy types for the dataset in the consent operation. Possible values are None and DenyList.

Viva Goals schema

The audit records for events related to Viva Goals use this schema (in addition to the Common schema). For details how you can search for the audit logs from the compliance portal, see Search the audit log in the Security & Compliance Center. For details about capturing events and activities related to Viva Goals, see Audit log activities.

Parameters Type Mandatory? Description
Detail Edm.String  No  A description of the event or the activity that occurred in Viva Goals.
Username  Edm.String
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No  The name of the user who trigged the event.
UserRole  Edm.String No  The role of the user who trigged this event in Viva Goals. This will mention if the user is an organization admin or an owner.
OrganizationName Edm.String
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No  The name of the organization in Viva Goals where the event was triggered.
OrganizationOwner  Edm.String 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No  The owner of the organization in Viva Goals where the event occurred.
OrganizationAdmins  Collection(Edm.String) 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No  The admin(s) of the organization in Viva Goals where the event occurred. There can be one or more admins in the organization.
UserAgent  Edm.String 
Term="Microsoft.Office.Audit.Schema.PIIFlag"
Bool="true"
No  The user agent (browser details) of the user who trigged the event. UserAgent might not be present in case of a system generated event.
ModifiedFields  Collection(Common.NameValuePair) No  A list of attributes that were modified along with its new and old values output as a JSON.
ItemDetails Collection(Common.NameValuePair) No  Additional properties about the object that was modified.

Microsoft Planner schema

Microsoft Planner overwrites the definition of ObjectId and ResultStatus in the Common schema. Microsoft Planner's ObjectId definition is bound to each Microsoft Planner's record type and will be illustrated individually.

Microsoft Planner's ResultStatus is defined as the following.

Enum: ResultStatus - Type: Edm.Int32

ResultStatus

Value Member name Description
1 Success The user request succeeded.
2 Failure The user request failed due to reasons other than authorization.
3 AuthorizationFailure The user requested failed due to failed authorization.

Microsoft Planner extends the Common schema with the following record types.

PlannerPlan record type

Properties Type Description
ObjectId Edm.String Id of the plan requested.
ContainerType Self.ContainerType Type of the container associated with the plan.
ContainerId Edm.String Id of the container associated with the plan.
SharedWithContainerId Edm.String Id of the container with shared access to the plan.
SharedWithContainerType Self.ContainerType Type of the container with shared access to the plan.
SharedWithContainerAccessLevel Self.PlanAccessLevel Level of access given to container with shared access to the plan.

Enum: ContainerType - Type Edm.Int32

ContainerType

Value Member name Description
0 Invalid Used when the requested plan is not found.
2 Group The plan is associated with a M365 Group.
3 TeamsConversation The plan is associated with a Teams conversation.
4 OfficeDocument The plan is associated with a Office document.
5 Roster The plan is associated with a roster group.
6 Project The plan originates from Microsoft Project.

Enum: PlanAccessLevel - Type Edm.Int32

PlanAccessLevel

Value Member name Description
1 ReadAccess Access to read Plan.
2 ReadWriteAccess Access to read and write to Plan.
3 FullAccess Access to read, write and configure Plan.

PlannerCopyPlan record type

Properties Type Description
ObjectId Edm.String Id of the plan being copied.
OriginalPlanId Edm.String Id of the plan being copied. Same as ObjectId.
OriginalContainerType Self.ContainerType Type of the container associated with the original plan.
OriginalContainerId Edm.String Id of the container associated with the original plan.
NewPlanId Edm.String Id of the new plan. Null when the operation failed.
NewContainerType Self.ContainerType Type of the container associated with the new plan.
NewContainerId Edm.String Id of the container associated with the new plan.

PlannerTask record type

Properties Type Description
ObjectId Edm.String Id of the task requested.
PlanId Edm.String Id of the plan containing the task.

PlannerRoster record type

Properties Type Description
ObjectId Edm.String Id of the roster requested.
MemberIds Edm.String A comma-separated string of member ids changed to the roster.

PlannerPlanList record type

Properties Type Description
ObjectId Edm.String A representation of the view query for a list of plans.
PlanList Edm.String A comma-separated string of plan ids queried.

PlannerTaskList record type

Properties Type Description
ObjectId Edm.String A representation of the view query for a list of tasks.
PlanList Edm.String A comma-separated string of task ids queried.

PlannerTenantSettings record type

Properties Type Description
ObjectId Edm.String Original tenant settings in JSON.
TenantSettings Edm.String New tenant settings in JSON.

PlannerRosterSensitivityLabel record type

Properties Type Description
ObjectId Edm.String Id of the sensitivity label. Null when the sensitivity label is removed.
Roster Edm.String Id of the roster to which the sensitivity label is changed.
AssignmentMethod Self.SensitivityLabelAssignmentMethod The assignment method of the sensitivity label.

Enum: SensitivityLabelAssignmentMethod - Type Edm.Int32

SensitivityLabelAssignmentMethod

Value Member name Description
0 Standard The sensitivity label is automatically applied but not allowed to override a privileged label assignment.
1 Privileged The sensitivity label is applied manually by a user or by an admin.
2 Auto The sensitivity label is automatically applied and is allowed to override a privileged label assignment.

Microsoft Project for the web schema

Microsoft Project For The web extends the Common schema with the following record types.

ProjectForThewebProject record type

Properties Type Mandatory? Description
ProjectId Edm.Guid No Id of the Project being audited.
AdditionalInfo CollectionSelf.AdditionalInfo No Additional information.

ProjectForThewebTask record type

Properties Type Mandatory? Description
ProjectId Edm.Guid Yes Id of the Project being audited.
TaskId Edm.Guid Yes Id of the Task being audited.
AdditionalInfo CollectionSelf.AdditionalInfo No Additional information.

ProjectForThewebRoadmap record type

Properties Type Mandatory? Description
RoadmapId Edm.Guid Yes Id of the Roadmap being audited.
AdditionalInfo CollectionSelf.AdditionalInfo No Additional information.

ProjectForThewebRoadmapItem record type

Properties Type Mandatory? Description
RoadmapItemId Edm.Guid Yes Id of the Roadmap Item being audited.
AdditionalInfo CollectionSelf.AdditionalInfo No Additional information.

Complex Type AdditionalInfo

Parameters Type Mandatory? Description
EnvironmentName Edm.String No Id of the environment where action was performed.

ProjectForThewebProjectSetting record type

Properties Type Mandatory? Description
ProjectEnabled Edm.Boolean Yes The value that was set for Project for the web (1= enabled, 0 disabled).

ProjectForThewebRoadampSetting record type

Properties Type Mandatory? Description
RoadmapEnabled Edm.Boolean Yes The value that was set for Roadmap (1= enabled, 0 disabled).

ProjectForThewebAssignedToMeSetting record type

Properties Type Mandatory? Description
AssignedToMeEnabled Edm.Boolean Yes The value that was set for AssignedToMe (1= enabled, 0 disabled).

Viva Pulse schema

The audit records for events related to Viva Pulse use this schema (in addition to the Common schema). For details how you can search for the audit logs from the compliance portal, see Search the audit log in the Security & Compliance Center. For details about capturing events and activities related to Viva Pulse, see Audit log activities.

Parameters Type Mandatory? Description
EventName Edm.String  No  A description of the event or the activity that occurred in Viva Pulse.
PulseId Edm.String No  Id of the pulse survey.
EventDetails Collection(Common.NameValuePair) No  Additional properties about the event.

Some of the VivaPulse events record different properties in EventDetails. Each property recorded in EventDetail are described in the table.

EventName PropertName Description
PulseReportShare Recipients List of recipient ids with whom the pulse survey is shared.
PulseCreate Recipients List of user ids who are participants of the spcified pulse survey.
PulseInvite Recipients List of user IDs who are additionally invited to the pulse.
PulseTenantSettingsUpdate TenantSettingName Changed settings name.
PulseSubmit Not Applicable This event does not record any property into EventDetails.
PulseExtendDeadline Not Applicable This event does not record any property into EventDetails.
PulseCancel Not Applicable This event does not record any property into EventDetails.
PulseCreateDraft Not Applicable This event does not record any property into EventDetails.
PulseDeleteDraft Not Applicable This event does not record any property into EventDetails.
PulseDeleteUserData Not Applicable This event does not record any property into EventDetails.

Compliance Manager schema

The audit records for events related to Microsoft Purview Compliance Manager use this schema (in addition to the Common schema). For details how you can search for the audit logs from the compliance portal, see Search the audit log in the Security & Compliance Center. For details about capturing events and activities related to Compliance Manager, see Audit log activities.

Parameters Type Mandatory? Description
Details Collection(SettingsChange)  No A description of the event that occurred for a Microsoft Purview Compliance Manager.

Values taken by SettingsChange properties in Details for different operations are described in the table below.

Operation PropertyName Description
All Operations Name Name of setting involved in the Compliance Manager operation.
All Operations NewValue New value for the new settings.
All Operations OriginalValue Original value for new setting.

Note

  1. For role changes the name will be the role type.
  2. The audit record will reflect the change in event, such as user is assigned a role or revoked role.
  3. The original and new value will have the emails of the user for which the role has changed.
  4. In case there is no change in the role, that role type will not be present in the audit record.

Backup Policy schema

Parameters Type Mandatory? Description
PolicyID Edm.String Yes The ID of the policy.
EditMethodology Edm.String No How the policy was created / edited.
CountOfArtifactsBeingAdded Edm.Int32 No Number of artifacts being added.
CountOfArtifactsBeingRemoved Edm.Int32 No Number of artifacts being removed.
ServiceType Edm.String No Whether it is a SharePoint, Exchange, or OneDriveForBusiness policy.

Restore Task schema

Parameters Type Mandatory? Description
TaskID Edm.String Yes The ID of the Restore Task.
CreationMethodology Edm.String No How the Restore Task was created / edited.
CountOfArtifactsBeingAdded Edm.Int32 No Number of artifacts being added.
CountOfArtifactsBeingRemoved Edm.Int32 No Number of artifacts being removed.
ServiceType Edm.String No Whether it is a SharePoint, Exchange, or OneDriveForBusiness policy.

Restore Item schema

Parameters Type Mandatory? Description
RestoreTime Edm.DateTime Yes Time which the item is being restored to.
RestoreLocationType Edm.String Yes Location type that the item is being restored to.
RestoreLocation Edm.String No Location that the item is being restored to.
TaskID Edm.String Yes The ID of the Restore task.
BackupItemID Edm.String Yes ID of the Backup Item being restored.
ProtectionUnitID Edm.String Yes Protection Unit ID of the item being restored.
SuccessStatus Edm.String No Whether the restore operation was successful.
BackupItemType Edm.String Yes Whether the Backup Item is a Site / Account / Mailbox.
ServiceType Edm.String No Whether it is a SharePoint, Exchange, or OneDriveForBusiness policy.

Backup Item schema

Parameters Type Mandatory? Description
PolicyID Edm.String Yes Policy ID of the Policy the item is getting added to.
ItemID Edm.String Yes ID of the Backup Item.
ProtectionUnitID Edm.String Yes Protection Unit ID of the item being backed up.
ResultStatus Edm.String No Whether the restore operation was successful.
BackupItemType Edm.String Yes Whether the Backup Item is a Site / Account / Mailbox.
EditMethodology Edm.String No How the backup item is to be added.
ServiceType Edm.String No Whether it is a SharePoint, Exchange, or OneDriveForBusiness policy.

Cloud Policy service schema

The audit records for events related to the Cloud Policy service extend the Common schema as follows:

PolicyConfigChangeAuditRecord

Parameters Type Mandatory? Description
ConfigId Edm.String No ID of the policy configuration
ConfigName Edm.String No Given name of policy configuration
Description Edm.String No Description provided for policy configuration
ConfigScope Self.CPSScope No Scope of policy configuration
Groups Collection(Common.NameValuePair) No List of configured groups
Priority Edm.Int32 No Priority value of policy configuration
Policies Collection(Self.Policy) No List of configured policy settings
Priorities Collection(Self.PrioritySetting) No List of policy configurations and their priority values

Enum: CPSScope - Type: Edm.Int32

Value Member name Description
1 Tenant The policy configuration is scoped to all users in the tenant.
2 Anonymous The policy configuration is scoped to anonymous users.
3 User The policy configuration is scoped to users in configured Microsoft Entra group(s).

Complex Type Policy

Parameters Type Mandatory? Description
PolicyId Edm.String No ID of the policy setting
PolicyName Edm.String No Name of policy setting
Value Edm.String No Configured value of policy setting
Settings Collection(Self.Setting) No Configured setting

Complex Type Setting

Parameters Type Mandatory? Description
SettingId Edm.String No ID of the setting
SettingName Edm.String No Name of setting
Value Edm.String No Configured value of setting

Complex Type PrioritySetting

Parameters Type Mandatory? Description
ConfigId Edm.String No ID of the policy configuration
ConfigName Edm.String No Given name of policy configuration
Value Edm.String No Configured priority of policy configuration

Cloud update profile configuration schema

The Cloud Update profile configuration related events extend the Common schema with the following record types.

CloudUpdateProfileConfigAuditRecord

Parameters Type Mandatory? Description
ProfileName Edm.String Yes Name of profile
ProfileState Self.ProfileState No State of profile
Deadline Edm.Int32 No Configured deadline
UpdateValidationState Self.UpdateValidationState No State of Update Validation
Waves Collection(Self.Wave) No Collection containing configured waves
WaveDelay Edm.Int32 No Set delay between waves

Enum: ProfileState - Type: Edm.Int32

Value Member name Description
1 Enabled The profile is enabled and active.
2 Disabled The profile is disabled.
3 Paused The profile is enabled, but in paused state.

Enum: UpdateValidationState - Type: Edm.Int32

Value Member name Description
1 Enabled Update Validation is enabled.
2 Disabled Update Validation is disabled.

Complex Type Wave

Parameters Type Mandatory? Description
Name Edm.String No Name of wave
Type Self.WaveType No Wave specified by administrator or automatic catch-all wave
Groups Collection(Common.NameValuePair) No Collection of groups configured for this wave

Enum: WaveType - Type: Edm.Int32

Value Member name Description
1 Groups Wave was configured by administrator using groups.
2 RemainingDevices Automatically created wave which includes all devices in profile's scope which are not covered by previous waves.

Cloud Update tenant configuration schema

The Cloud Update tenant configuration related events extend the Common schema with the following record types.

CloudUpdateTenantConfigAuditRecord

Parameters Type Mandatory? Description
ProfileExclusionWindows Collection(Self.ExclusionWindow) No Collection of configured exclusion windows
ExclusionList Collection(Common.NameValuePair) No Collection of configured exclusions
TAK Edm.String No Tenant Association Key

Complex Type ExclusionWindow

Parameters Type Mandatory? Description
Name Edm.String No Given name of exclusion window
StartDate Edm.Date No Start date of exclusion windows
EndDate Edm.Date No End date of exclusion windows
Groups Collection(Common.NameValuePair) No Collection of groups the exclusion window is scoped to

Cloud Update device schema

The Cloud Update device related events extend the Common schema with the following record types.

CloudUpdateDeviceConfigAuditRecord

Parameters Type Mandatory? Description
RollbackDevices Self.Rollback No Rollbacks triggered
ChannelChangeDevices Self.ChannelChange No Channel changes triggered

Complex Type Rollback

Parameters Type Mandatory? Description
RollbackType Self.RollbackType No Type of rollback
RollbackBuildNumber Edm.String No Targeted build number to roll back to
Devices Collection(Edm.String) No Collection of devices targeted by rollback

Enum: RollbackType - Type: Edm.Int32

Value Member name Description
1 SpecificDevices Rollback was targeted at a specific subset of devices.
2 AllDevices Rollback was targeted at all devices within the profile's scope.

Complex Type ChannelChange

Parameters Type Mandatory? Description
ChannelChange Self.Channel No Targeted update channel
Devices Collection(Edm.String) No Collection of targeted devices
Groups Collection(Common.NameValuePair) No Collection of targeted groups

Enum: Channel - Type: Edm.Int32

Value Member name Description
1 MonthlyEnterpriseChannel Monthly Enterprise Channel
2 CurrentChannel Current Channel

AAD Risk Detection schema

The audit records for events related to AAD Risk Detection use this schema (in addition to the Common schema). For details how you can search for the audit logs from the compliance portal, see Search the audit log in the Security & Compliance Center. For details about capturing events and activities related to AAD Risk Detection, see Audit log activities.

Parameters Type Mandatory? Description
Activity Edm.String No The activity type for which risk was detected.
ActivityDateTime Edm.Date No The date and time in Coordinated Universal Time (UTC) when the risky activity occurred.
AdditionalInfo Edm.String No Additional Information in JSON format for the detected risk.
CorrelationId Edm.String No An identifier that can used to correlate sign-in activities associated with a risk detection.
DetectedDateTime Edm.Date No The date and time in Coordinated Universal Time (UTC) when the risk was detected.
DetectionTimingType Edm.String No Indicates the timing type of the detected risk. Possible values are real-time/offline.
LastUpdatedDateTime Edm.Date No The date and time in Coordinated Universal Time (UTC) when the risk detection was last updated.
Location Self.LocationType No Information about the location from which the sign-in activity was detected.
RequestId Edm.String No Indicates the Request Id of the sign-in activity for which risk was detected. If risk detection is not associated with sign-in then this property is null.
RiskDetail Edm.String No The details of the detected risk.
RiskEventType Edm.String No The type of event for which risk was detected.
RiskId Edm.String No An unique identifier for the risk detection.
RiskLevel Edm.String No The level of the risk detected.
RiskState Edm.String No The risk state of a risky user or a sign-in linked to the risk detection.
Source Edm.String No The source of the detected risk.
TokenIssuerType Edm.String No The type of token issuer for the sign-in linked to the risk detection.
UserDisplayName Edm.String No The user principal name (UPN) of the user for whom the risk was detected.

LocationType complex type

Parameters Type Mandatory? Description
City Edm.String No The city where the sign-in was performed.
CountryOrRegion Edm.String No The country or region where the sign-in was performed.
GeoCoordinates Self.GeoCoordinatesType No The geo co-ordinates of the location where the sign-in was performed.
State Edm.String No The state where the sign-in was performed.

GeoCoordinatesType complex type

Parameters Type Mandatory? Description
Altitude Edm.String No The altitude of the location where the sign-in was performed.
Latitude Edm.String No The latitude of the location where the sign-in was performed.
Longitude Edm.String No The longitude of the location where the sign-in was performed.