diff --git a/Content/Content Packs/Office 365 Content Pack.html b/Content/Content Packs/Office 365 Content Pack.html index 622e06c..8855211 100644 --- a/Content/Content Packs/Office 365 Content Pack.html +++ b/Content/Content Packs/Office 365 Content Pack.html @@ -1,51 +1,56 @@  - + - - - Office 365 Content Pack - - + Office 365 Content Pack +

Microsoft’s Office 365 provides cloud-based office apps like Word, Excel, and others. O365 Spotlight for Graylog Illuminate works with the Office 365 Log Events Enterprise Plugin to process Microsoft Office 365 logs by providing normalization and enrichment of common events. The Spotlight comes ready to use with several pre-built dashboard views including O365 Overview and tabs for Exchange, Azure Active Directory, and other O365 applications.

-

Supported Version(s)

+

Supported Version(s)

-

Stream Configuration

-

This technology pack includes one stream:

+

Requirements

-

If this stream name is already defined, then nothing will be changed. If this stream name does not exist, then it will be created.

-

Index Set Configuration

-

This technology pack includes one index set definition:

+

Stream Configuration

+

This technology pack includes 1 stream:

-

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

-

Log Format Example

-

{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"} +

+

+
Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream. +
+

-

Requirements

+

Index Set Configuration

+

This technology pack includes 1 index set definition:

-

What is Provided

+

+

+
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation. +
+
+

+

Log Format Example

+

{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"} +

+

What is Provided

-

Configuring an O365 Input

+

Log Collection

+

Configuring an O365 Input

    -
  1. On the Select Input drop-down menu, select System menu and then choose Inputs.
    2. -
  2. Select Office 365 Log Events from the Select Input drop-down menu.
    3. -
  3. Click Launch New Input.
    4. -
  4. Assign a node or select Global mode.
    5. -
  5. Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your O365 tenant.
    6. -
  6. Click Verify Connection & Proceed.
    7. -
  7. Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.
    8. -
  8. Set the polling interval. (Graylog recommends starting with a polling interval of 3 minutes for the System Log API used by the Graylog O365 Log Events plugin.)
    9. -
  9. This step is optional: Select Store Full Message. (This option consumes additional Graylog ingestion volume and storage requirements but may be required for compliance or other reasons.)
    10. -
  10. Save the input settings.
    11. -
  11. If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured O365 tenant.
    12. +
  12. +

    On the Select Input drop-down menu, select the System menu and then choose Inputs.

    +
    13. +
  13. +

    Select Office 365 Log Events from the Select Input drop-down menu.

    +
    14. +
  14. +

    Click Launch New Input.

    +
    15. +
  15. +

    Assign a node or select Global mode.

    +
    16. +
  16. +

    Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your O365 tenant.

    +
    17. +
  17. +

    Click Verify Connection & Proceed.

    +
    18. +
  18. +

    Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.

    +
    19. +
  19. +

    Set the polling interval. (Graylog recommends starting with a polling interval of 3 minutes for the System Log API used by the Graylog O365 Log Events plugin.)

    +
    20. +
  20. +

    This step is optional: Select Store Full Message. (This option consumes additional Graylog ingestion volume and storage requirements but may be required for compliance or other reasons.)

    +
    21. +
  21. +

    Save the input settings.

    +
    22. +
  22. +

    If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured O365 tenant.

    +
+

GIM Categorization

+

GIM categorization is provided for the following messages:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
vendor_event_actiongim_event_type_codegim_event_categorygim_event_classgim_event_subcategorygim_event_type
FileAccessed000000messagemessage.log_messagemessage
FileAccessedExtended000000messagemessage.log_messagemessage
ComplianceSettingChanged000000messagemessage.log_messagemessage
LockRecord000000messagemessage.log_messagemessage
UnlockRecord000000messagemessage.log_messagemessage
FileCheckedIn201000fileendpointfile.modifyfile modified
FileCheckedOut000000messagemessage.log_messagemessage
FileCopied200000fileendpointfile.createfile created
FileDeleted200100fileendpointfile.deletefile deleted
FileDeletedFirstStageRecycleBin200100fileendpointfile.deletefile deleted
FileDeletedSecondStageRecycleBin200100fileendpointfile.deletefile deleted
RecordDelete000000messagemessage.log_messagemessage
DocumentSensitivityMismatchDetected000000messagemessage.log_messagemessage
FileMalwareDetected301000detectiondetection.host_detectionhost_malware_detection
FileCheckOutDiscarded000000messagemessage.log_messagemessage
FileDownloaded000000messagemessage.log_messagemessage
FileModified201000fileendpointfile.modifyfile modified
FileModifiedExtended201000fileendpointfile.modifyfile modified
FileMoved201000fileendpointfile.modifyfile modified
FilePreviewed000000messagemessage.log_messagemessage
SearchQueryPerformed000000messagemessage.log_messagemessage
FileVersionsAllMinorsRecycled200100fileendpointfile.deletefile deleted
FileVersionsAllRecycled200100fileendpointfile.deletefile deleted
FileVersionRecycled200100fileendpointfile.deletefile deleted
FileRenamed201000fileendpointfile.modifyfile modified
FileRestored200000fileendpointfile.createfile created
FileUploaded200000fileendpointfile.createfile created
PageViewed000000messagemessage.log_messagemessage
PageViewedExtended000000messagemessage.log_messagemessage
ClientViewSignaled000000messagemessage.log_messagemessage
PagePrefetched000000messagemessage.log_messagemessage
FolderCopied200000fileendpointfile.createfile created
FolderCreated200000fileendpointfile.createfile created
FolderDeleted200100fileendpointfile.deletefile deleted
FolderDeletedFirstStageRecycleBin200100fileendpointfile.deletefile deleted
FolderDeletedSecondStageRecycleBin200100fileendpointfile.deletefile deleted
FolderModified201000fileendpointfile.modifyfile modified
FolderMoved201000fileendpointfile.modifyfile modified
FolderRenamed201000fileendpointfile.modifyfile modified
FolderRestored200000fileendpointfile.createfile created
ListCreated000000messagemessage.log_messagemessage
ListColumnCreated000000messagemessage.log_messagemessage
ListContentTypeCreated000000messagemessage.log_messagemessage
ListItemCreated000000messagemessage.log_messagemessage
SiteColumnCreated000000messagemessage.log_messagemessage
Site ContentType Created000000messagemessage.log_messagemessage
ListDeleted000000messagemessage.log_messagemessage
List Column Deleted000000messagemessage.log_messagemessage
ListContentTypeDeleted000000messagemessage.log_messagemessage
List Item Deleted000000messagemessage.log_messagemessage
SiteColumnDeleted000000messagemessage.log_messagemessage
SiteContentTypeDeleted000000messagemessage.log_messagemessage
ListItemRecycled000000messagemessage.log_messagemessage
ListRestored000000messagemessage.log_messagemessage
ListItemRestored000000messagemessage.log_messagemessage
ListUpdated000000messagemessage.log_messagemessage
ListColumnUpdated000000messagemessage.log_messagemessage
ListContentTypeUpdated000000messagemessage.log_messagemessage
ListItemUpdated000000messagemessage.log_messagemessage
SiteColumnUpdated000000messagemessage.log_messagemessage
SiteContentTypeUpdated000000messagemessage.log_messagemessage
PermissionLevelAdded000000messagemessage.log_messagemessage
AccessRequestAccepted000000messagemessage.log_messagemessage
SharingInvitationAccepted000000messagemessage.log_messagemessage
SharingInvitationBlocked000000messagemessage.log_messagemessage
AccessRequestCreated000000messagemessage.log_messagemessage
CompanyLinkCreated000000messagemessage.log_messagemessage
AnonymousLinkCreated000000messagemessage.log_messagemessage
SecureLinkCreated000000messagemessage.log_messagemessage
SharingInvitationCreated000000messagemessage.log_messagemessage
SecureLinkDeleted000000messagemessage.log_messagemessage
AccessRequestDenied000000messagemessage.log_messagemessage
CompanyLinkRemoved000000messagemessage.log_messagemessage
AnonymousLinkRemoved000000messagemessage.log_messagemessage
SharingSet000000messagemessage.log_messagemessage
AccessRequestUpdated000000messagemessage.log_messagemessage
AnonymousLinkUpdated000000messagemessage.log_messagemessage
SharingInvitationUpdated000000messagemessage.log_messagemessage
AnonymousLinkUsed000000messagemessage.log_messagemessage
SharingRevoked000000messagemessage.log_messagemessage
CompanyLinkUsed000000messagemessage.log_messagemessage
SecureLinkUsed000000messagemessage.log_messagemessage
AddedToSecureLink000000messagemessage.log_messagemessage
RemovedFromSecureLink000000messagemessage.log_messagemessage
SharingInvitationRevoked000000messagemessage.log_messagemessage
ManagedSyncClientAllowed000000messagemessage.log_messagemessage
UnmanagedSyncClientBlocked000000messagemessage.log_messagemessage
FileSyncDownloadedFull000000messagemessage.log_messagemessage
FileSyncDownloadedPartial000000messagemessage.log_messagemessage
FileSyncUploadedFull000000messagemessage.log_messagemessage
FileSyncUploadedPartial000000messagemessage.log_messagemessage
SiteCollectionAdminAdded000000messagemessage.log_messagemessage
AddedToGroup000000messagemessage.log_messagemessage
PermissionLevelsInheritanceBroken000000messagemessage.log_messagemessage
SharingInheritanceBroken000000messagemessage.log_messagemessage
GroupAdded000000messagemessage.log_messagemessage
GroupRemoved000000messagemessage.log_messagemessage
WebRequestAccessModified000000messagemessage.log_messagemessage
WebMembersCanShareModified000000messagemessage.log_messagemessage
PermissionLevelModified000000messagemessage.log_messagemessage
SitePermissionsModified000000messagemessage.log_messagemessage
PermissionLevelRemoved000000messagemessage.log_messagemessage
SiteCollectionAdminRemoved000000messagemessage.log_messagemessage
RemovedFromGroup000000messagemessage.log_messagemessage
SiteAdminChangeRequest000000messagemessage.log_messagemessage
SharingInheritanceReset000000messagemessage.log_messagemessage
GroupUpdated000000messagemessage.log_messagemessage
AllowedDataLocationAdded000000messagemessage.log_messagemessage
ExemptUserAgentSet000000messagemessage.log_messagemessage
GeoAdminAdded000000messagemessage.log_messagemessage
AllowGroupCreationSet000000messagemessage.log_messagemessage
SiteGeoMoveCancelled000000messagemessage.log_messagemessage
SharingPolicyChanged000000messagemessage.log_messagemessage
DeviceAccessPolicyChanged000000messagemessage.log_messagemessage
CustomizeExemptUsers000000messagemessage.log_messagemessage
NetworkAccessPolicyChanged000000messagemessage.log_messagemessage
SiteGeoMoveCompleted000000messagemessage.log_messagemessage
SendToConnectionAdded000000messagemessage.log_messagemessage
SiteCollectionCreated000000messagemessage.log_messagemessage
HubSiteOrphanHubDeleted000000messagemessage.log_messagemessage
SendToConnectionRemoved000000messagemessage.log_messagemessage
SiteDeleted000000messagemessage.log_messagemessage
PreviewModeEnabledSet000000messagemessage.log_messagemessage
LegacyWorkflowEnabledSet000000messagemessage.log_messagemessage
OfficeOnDemandSet000000messagemessage.log_messagemessage
PeopleResultsScopeSet000000messagemessage.log_messagemessage
NewsFeedEnabledSet000000messagemessage.log_messagemessage
HubSiteJoined000000messagemessage.log_messagemessage
HubSiteRegistered000000messagemessage.log_messagemessage
AllowedDataLocationDeleted000000messagemessage.log_messagemessage
GeoAdminDeleted000000messagemessage.log_messagemessage
SiteRenamed000000messagemessage.log_messagemessage
SiteGeoMoveScheduled000000messagemessage.log_messagemessage
HostSiteSet000000messagemessage.log_messagemessage
GeoQuotaAllocated000000messagemessage.log_messagemessage
HubSiteUnjoined000000messagemessage.log_messagemessage
HubSiteUnregistered000000messagemessage.log_messagemessage
MailItemsAccessed000000messagemessage.log_messagemessage
AddMailboxPermissions000000messagemessage.log_messagemessage
UpdateCalendarDelegation000000messagemessage.log_messagemessage
AddFolderPermissions000000messagemessage.log_messagemessage
Copy000000messagemessage.log_messagemessage
Create000000messagemessage.log_messagemessage
New-InboxRule000000messagemessage.log_messagemessage
SoftDelete000000messagemessage.log_messagemessage
ApplyRecordLabel000000messagemessage.log_messagemessage
Move000000messagemessage.log_messagemessage
MoveToDeletedItems000000messagemessage.log_messagemessage
UpdateFolderPermissions000000messagemessage.log_messagemessage
Set-InboxRule000000messagemessage.log_messagemessage
HardDelete000000messagemessage.log_messagemessage
Remove-MailboxPermission000000messagemessage.log_messagemessage
RemoveFolderPermissions000000messagemessage.log_messagemessage
Send130000messagingmessaging.emailemail sent
SendAs130000messagingmessaging.emailemail sent
SendOnBehalf130000messagingmessaging.emailemail sent
UpdateInboxRules000000messagemessage.log_messagemessage
Update000000messagemessage.log_messagemessage
MailboxLogin100000authenticationauthentication.logonlogon
Add user110000iamiam.object createaccount created
Change user license111001iamiam.object modifyprivileges assigned
Change user password111004iamiam.object modifypassword change
Delete user110500iamiam.object deleteaccount deleted
Reset user password111004iamiam.object modifypassword change
Set force change user password000000messagemessage.log_messagemessage
Set license properties111001iamiam.object modifyprivileges assigned
Update user111000iamiam.object modifyaccount modified
Add group110002iamiam.object creategroup created
Add member to group111007iamiam.object modifygroup member added
Delete group110501iamiam.object deletegroup deleted
Remove member from group111008iamiam.object modifygroup member removed
Update group111009iamiam.object modifygroup properties modified
Add delegation entry000000messagemessage.log_messagemessage
Add service principal000000messagemessage.log_messagemessage
Add service principal credentials000000messagemessage.log_messagemessage
Remove delegation entry000000messagemessage.log_messagemessage
Remove service principal000000messagemessage.log_messagemessage
Remove service principal credentials000000messagemessage.log_messagemessage
Set delegation entry000000messagemessage.log_messagemessage
Add role member to role111007iamiam.object modifygroup member added
Remove role member from role111008iamiam.object modifygroup member removed
Set company contact information000000messagemessage.log_messagemessage
Add domain to company000000messagemessage.log_messagemessage
Add partner to company000000messagemessage.log_messagemessage
Remove domain from company000000messagemessage.log_messagemessage
Remove partner from company000000messagemessage.log_messagemessage
Set company information000000messagemessage.log_messagemessage
Set domain authentication000000messagemessage.log_messagemessage
Set federation settings on domain000000messagemessage.log_messagemessage
Set password policy000000messagemessage.log_messagemessage
Set DirSyncEnabled flag on company000000messagemessage.log_messagemessage
Update domain000000messagemessage.log_messagemessage
Verify domain000000messagemessage.log_messagemessage
Verify email verified domain000000messagemessage.log_messagemessage
AccessedOdataLink000000messagemessage.log_messagemessage
CanceledQuery000000messagemessage.log_messagemessage
MeetingExclusionCreated000000messagemessage.log_messagemessage
DeletedResult000000messagemessage.log_messagemessage
DownloadedReport000000messagemessage.log_messagemessage
ExecutedQuery000000messagemessage.log_messagemessage
UpdatedDataAccessSetting000000messagemessage.log_messagemessage
UpdatedPrivacySetting000000messagemessage.log_messagemessage
UploadedOrgData000000messagemessage.log_messagemessage
ViewedExplore000000messagemessage.log_messagemessage
BotAddedToTeam000000messagemessage.log_messagemessage
ChannelAdded000000messagemessage.log_messagemessage
ConnectorAdded000000messagemessage.log_messagemessage
MemberAdded000000messagemessage.log_messagemessage
TabAdded000000messagemessage.log_messagemessage
ChannelSettingChanged000000messagemessage.log_messagemessage
MemberRoleChanged000000messagemessage.log_messagemessage
TeamSettingChanged000000messagemessage.log_messagemessage
TeamCreated000000messagemessage.log_messagemessage
DeletedAllOrganizationApps000000messagemessage.log_messagemessage
AppDeletedFromCatalog000000messagemessage.log_messagemessage
ChannelDeleted000000messagemessage.log_messagemessage
TeamDeleted000000messagemessage.log_messagemessage
AppInstalled000000messagemessage.log_messagemessage
PerformedCardAction000000messagemessage.log_messagemessage
AppPublishedToCatalog000000messagemessage.log_messagemessage
BotRemovedFromTeam000000messagemessage.log_messagemessage
ConnectorRemoved000000messagemessage.log_messagemessage
MemberRemoved000000messagemessage.log_messagemessage
TabRemoved000000messagemessage.log_messagemessage
AppUninstalled000000messagemessage.log_messagemessage
AppUpdatedInCatalog000000messagemessage.log_messagemessage
ConnectorUpdated000000messagemessage.log_messagemessage
TabUpdated000000messagemessage.log_messagemessage
AppUpgraded000000messagemessage.log_messagemessage
TeamsSessionStarted000000messagemessage.log_messagemessage
CaseMemberAdded000000messagemessage.log_messagemessage
SearchUpdated000000messagemessage.log_messagemessage
CaseAdminUpdated000000messagemessage.log_messagemessage
CaseUpdated000000messagemessage.log_messagemessage
CaseMemberUpdated000000messagemessage.log_messagemessage
SearchPermissionUpdated000000messagemessage.log_messagemessage
HoldUpdated000000messagemessage.log_messagemessage
PreviewItemDownloaded000000messagemessage.log_messagemessage
PreviewItemListed000000messagemessage.log_messagemessage
PreviewItemRendered000000messagemessage.log_messagemessage
SearchCreated000000messagemessage.log_messagemessage
CaseAdminAdded000000messagemessage.log_messagemessage
CaseAdded000000messagemessage.log_messagemessage
SearchPermissionCreated000000messagemessage.log_messagemessage
HoldCreated000000messagemessage.log_messagemessage
SearchRemoved000000messagemessage.log_messagemessage
CaseAdminRemoved000000messagemessage.log_messagemessage
CaseRemoved000000messagemessage.log_messagemessage
SearchPermissionRemoved000000messagemessage.log_messagemessage
HoldRemoved000000messagemessage.log_messagemessage
SearchExportDownloaded000000messagemessage.log_messagemessage
SearchPreviewed000000messagemessage.log_messagemessage
SearchResultsPurged000000messagemessage.log_messagemessage
RemovedSearchResultsSentToZoom000000messagemessage.log_messagemessage
RemovedSearchExported000000messagemessage.log_messagemessage
CaseMemberRemoved000000messagemessage.log_messagemessage
RemovedSearchPreviewed000000messagemessage.log_messagemessage
RemovedSearchResultsPurged000000messagemessage.log_messagemessage
SearchReportRemoved000000messagemessage.log_messagemessage
SearchResultsSentToZoom000000messagemessage.log_messagemessage
SearchStarted000000messagemessage.log_messagemessage
SearchExported000000messagemessage.log_messagemessage
SearchReport000000messagemessage.log_messagemessage
SearchStopped000000messagemessage.log_messagemessage
CaseViewed000000messagemessage.log_messagemessage
SearchViewed000000messagemessage.log_messagemessage
ViewedSearchExported000000messagemessage.log_messagemessage
ViewedSearchPreviewed000000messagemessage.log_messagemessage
SoftDeleteSettingsUpdated000000messagemessage.log_messagemessage
NetworkConfigurationUpdated000000messagemessage.log_messagemessage
ProcessProfileFields000000messagemessage.log_messagemessage
SupervisorAdminToggled000000messagemessage.log_messagemessage
NetworkSecurityConfigurationUpdated000000messagemessage.log_messagemessage
FileCreated200000fileendpointfile.createfile created
GroupCreation000000messagemessage.log_messagemessage
GroupDeletion000000messagemessage.log_messagemessage
MessageDeleted000000messagemessage.log_messagemessage
FileDownloaded----Viva Engage000000messagemessage.log_messagemessage
DataExport000000messagemessage.log_messagemessage
FileShared000000messagemessage.log_messagemessage
NetworkUserSuspended000000messagemessage.log_messagemessage
UserSuspension000000messagemessage.log_messagemessage
FileUpdateDescription201000fileendpointfile.modifyfile modified
FileUpdateName201000fileendpointfile.modifyfile modified
FileVisited000000messagemessage.log_messagemessage
QuarantineDelete000000messagemessage.log_messagemessage
QuarantineExport000000messagemessage.log_messagemessage
QuarantinePreview000000messagemessage.log_messagemessage
QuarantineRelease000000messagemessage.log_messagemessage
QuarantineViewHeader000000messagemessage.log_messagemessage
CreateComment000000messagemessage.log_messagemessage
CreateForm000000messagemessage.log_messagemessage
EditForm000000messagemessage.log_messagemessage
MoveForm000000messagemessage.log_messagemessage
DeleteForm000000messagemessage.log_messagemessage
ViewForm000000messagemessage.log_messagemessage
PreviewForm000000messagemessage.log_messagemessage
ExportForm000000messagemessage.log_messagemessage
AllowShareFormForCopy000000messagemessage.log_messagemessage
DisallowShareFormForCopy000000messagemessage.log_messagemessage
AddFormCoauthor000000messagemessage.log_messagemessage
RemoveFormCoauthor000000messagemessage.log_messagemessage
ViewRuntimeForm000000messagemessage.log_messagemessage
CreateResponse000000messagemessage.log_messagemessage
UpdateResponse000000messagemessage.log_messagemessage
DeleteAllResponses000000messagemessage.log_messagemessage
DeleteResponse000000messagemessage.log_messagemessage
ViewResponses000000messagemessage.log_messagemessage
ViewResponse000000messagemessage.log_messagemessage
GetSummaryLink000000messagemessage.log_messagemessage
DeleteSummaryLink000000messagemessage.log_messagemessage
UpdatePhishingStatus000000messagemessage.log_messagemessage
UpdateUserPhishingStatus000000messagemessage.log_messagemessage
ProInvitation000000messagemessage.log_messagemessage
UpdateFormSetting000000messagemessage.log_messagemessage
UpdateUserSetting000000messagemessage.log_messagemessage
ListForms000000messagemessage.log_messagemessage
SubmitResponse000000messagemessage.log_messagemessage
SensitivityLabelApplied000000messagemessage.log_messagemessage
SensitivityLabelRemoved000000messagemessage.log_messagemessage
FileSensitivityLabelApplied000000messagemessage.log_messagemessage
FileSensitivityLabelChanged000000messagemessage.log_messagemessage
FileSensitivityLabelRemoved000000messagemessage.log_messagemessage
NewRetentionComplianceRule000000messagemessage.log_messagemessage
NewComplianceTag000000messagemessage.log_messagemessage
NewRetentionCompliancePolicy000000messagemessage.log_messagemessage
RemoveRetentionComplianceRule000000messagemessage.log_messagemessage
RemoveComplianceTag000000messagemessage.log_messagemessage
RemoveRetentionCompliancePolicy000000messagemessage.log_messagemessage
SetRestrictiveRetentionUI000000messagemessage.log_messagemessage
SetRetentionComplianceRule000000messagemessage.log_messagemessage
SetComplianceTag000000messagemessage.log_messagemessage
SetRetentionCompliancePolicy000000messagemessage.log_messagemessage
SearchMtpStatus000000messagemessage.log_messagemessage
UserLoggedIn100000authenticationauthentication.logonlogon
Set-Mailbox000000messagemessage.log_messagemessage
Set-MailboxPlan000000messagemessage.log_messagemessage
ListViewed000000messagemessage.log_messagemessage
SearchDataInsightsSubscription000000messagemessage.log_messagemessage
SearchTIKustoClusterInformation000000messagemessage.log_messagemessage
UserLoginFailed100000authenticationauthentication.logonlogon
Set-TransportConfig000000messagemessage.log_messagemessage
ModifyFolderPermissions000000messagemessage.log_messagemessage
Update service principal111000iamiam.object modifyaccount modified
Add owner to group111009iamiam.object modifygroup properties modified
Add-MailboxPermission000000messagemessage.log_messagemessage
Enable-AddressListPaging000000messagemessage.log_messagemessage
Install-AdminAuditLogConfig000000messagemessage.log_messagemessage
Install-DataClassificationConfig000000messagemessage.log_messagemessage
Install-DefaultSharingPolicy000000messagemessage.log_messagemessage
Install-ResourceConfig000000messagemessage.log_messagemessage
New-ExchangeAssistanceConfig000000messagemessage.log_messagemessage
RemovedFromSiteCollection000000messagemessage.log_messagemessage
Set-AdminAuditLogConfig000000messagemessage.log_messagemessage
Set-ExchangeAssistanceConfig000000messagemessage.log_messagemessage
Set-OwaMailboxPolicy000000messagemessage.log_messagemessage
Set-User000000messagemessage.log_messagemessage
Hard Delete group000000messagemessage.log_messagemessage
Get-CsTeamsUpgradeOverridePolicy000000messagemessage.log_messagemessage
Update StsRefreshTokenValidFrom Timestamp000000messagemessage.log_messagemessage
Remove owner from group000000messagemessage.log_messagemessage
Restore user000000messagemessage.log_messagemessage
FileVersionsAllDeleted000000messagemessage.log_messagemessage
Hard Delete user000000messagemessage.log_messagemessage
FileRecycled000000messagemessage.log_messagemessage
MessageUpdated000000messagemessage.log_messagemessage
SiteCollectionQuotaModified000000messagemessage.log_messagemessage
Remove-UnifiedGroup000000messagemessage.log_messagemessage
Set-RecipientEnforcementProvisioningPolicy000000messagemessage.log_messagemessage
Set-TenantObjectVersion000000messagemessage.log_messagemessage
DlpRuleMatch309999detectiondetection.defaultdetection_message
DlpInfo000000messagemessage.log_messagemessage
DlpRuleUndo000000messagemessage.log_messagemessage
SiteLocksChanged000000messagemessage.log_messagemessage
AlertTriggered309999detectiondetection.defaultdetection_message
ArchiveCreated200000fileendpointfile.createfile created
FileDownloadedFromBrowser200000fileendpointfile.createfile created
FileRead201500fileendpointfile.accessfile accessed
FileCopiedToRemovableMedia201500fileendpointfile.accessfile accessed
FileCopiedToClipboard201500fileendpointfile.accessfile accessed
FileCopiedToNetworkShare201500fileendpointfile.accessfile accessed
FileArchived201500fileendpointfile.accessfile accessed
FileUploadedToCloud201500fileendpointfile.accessfile accessed
FilePrinted201500fileendpointfile.accessfile accessed
FileCreatedOnRemovableMedia200000fileendpointfile.createfile created
AccessRequestApproved000000messagemessage.log_messagemessage
Add app role assignment grant to user000000messagemessage.log_messagemessage
Add app role assignment to group000000messagemessage.log_messagemessage
Add application000000messagemessage.log_messagemessage
Add delegated permission grant000000messagemessage.log_messagemessage
Add device000000messagemessage.log_messagemessage
Add owner to application000000messagemessage.log_messagemessage
Add owner to policy000000messagemessage.log_messagemessage
Add owner to service principal000000messagemessage.log_messagemessage
Add policy000000messagemessage.log_messagemessage
Add policy to service principal000000messagemessage.log_messagemessage
Add registered owner to device000000messagemessage.log_messagemessage
Add registered users to device000000messagemessage.log_messagemessage
AddedToSharingLink000000messagemessage.log_messagemessage
AirInvestigationData000000messagemessage.log_messagemessage
AlertEntityGenerated000000messagemessage.log_messagemessage
AlertUpdated000000messagemessage.log_messagemessage
AppDeleted000000messagemessage.log_messagemessage
ApplicationInstallationCompleted000000messagemessage.log_messagemessage
ApplicationInstallationStarted000000messagemessage.log_messagemessage
Authorize000000messagemessage.log_messagemessage
ChatCreated000000messagemessage.log_messagemessage
ChatRetrieved000000messagemessage.log_messagemessage
CreateCloudDatasourceFromKindPath000000messagemessage.log_messagemessage
CreateDataset000000messagemessage.log_messagemessage
CreateTaskFlow000000messagemessage.log_messagemessage
Delete device000000messagemessage.log_messagemessage
Device no longer compliant000000messagemessage.log_messagemessage
Device no longer managed000000messagemessage.log_messagemessage
EvaluateDataSourcesAgainstTenantDlpPolicies000000messagemessage.log_messagemessage
FileTimelineMetadataAccessed000000messagemessage.log_messagemessage
FileTranscriptContentAccessed000000messagemessage.log_messagemessage
FolderRecycled000000messagemessage.log_messagemessage
GATFRTokenIssue000000messagemessage.log_messagemessage
GetAllGatewayClusterDatasources000000messagemessage.log_messagemessage
Get-AutoSensitivityLabelPolicy000000messagemessage.log_messagemessage
GetDatasourceDetailsWithCredentialsAsync000000messagemessage.log_messagemessage
Get-DlpCompliancePolicy000000messagemessage.log_messagemessage
Get-LabelPolicy000000messagemessage.log_messagemessage
Get-PolicyConfig000000messagemessage.log_messagemessage
GetPowerBIDataModel000000messagemessage.log_messagemessage
InitiateCloudOAuthLogin000000messagemessage.log_messagemessage
LinkedEntityUpdated000000messagemessage.log_messagemessage
ListItemDeleted000000messagemessage.log_messagemessage
LiveResponseGetFile000000messagemessage.log_messagemessage
MDCAssessments000000messagemessage.log_messagemessage
MDCRegulatoryComplianceAssessments000000messagemessage.log_messagemessage
MeetingDetail000000messagemessage.log_messagemessage
MeetingParticipantDetail000000messagemessage.log_messagemessage
MessageCreatedHasLink000000messagemessage.log_messagemessage
MessageCreatedNotification000000messagemessage.log_messagemessage
MessageEditedHasLink000000messagemessage.log_messagemessage
MessageReadReceiptReceived000000messagemessage.log_messagemessage
MessageSent000000messagemessage.log_messagemessage
MipLabel000000messagemessage.log_messagemessage
New-App000000messagemessage.log_messagemessage
New-Mailbox000000messagemessage.log_messagemessage
PastedToBrowser000000messagemessage.log_messagemessage
ReactedToMessage000000messagemessage.log_messagemessage
RefreshDataset000000messagemessage.log_messagemessage
RemovableMediaMount000000messagemessage.log_messagemessage
RemovableMediaUnmount000000messagemessage.log_messagemessage
Remove app role assignment from user000000messagemessage.log_messagemessage
RunLiveResponseSession000000messagemessage.log_messagemessage
Search000000messagemessage.log_messagemessage
SecurityRoleUpdated000000messagemessage.log_messagemessage
SensitivityLabeledFileOpened000000messagemessage.log_messagemessage
SensitivityLabeledFileRenamed000000messagemessage.log_messagemessage
SensitivityLabelPolicyMatched000000messagemessage.log_messagemessage
SensitivityLabelUpdated000000messagemessage.log_messagemessage
Set-ConditionalAccessPolicy000000messagemessage.log_messagemessage
SharingLinkCreated000000messagemessage.log_messagemessage
SharingLinkDeleted000000messagemessage.log_messagemessage
SharingLinkUpdated000000messagemessage.log_messagemessage
SharingLinkUsed000000messagemessage.log_messagemessage
ShortcutAdded000000messagemessage.log_messagemessage
SignInEvent000000messagemessage.log_messagemessage
TagApplied000000messagemessage.log_messagemessage
TaskCreated000000messagemessage.log_messagemessage
TaskUpdated000000messagemessage.log_messagemessage
TeamsMeetingRecordingUploaded000000messagemessage.log_messagemessage
TIMailData000000messagemessage.log_messagemessage
Update application000000messagemessage.log_messagemessage
Update application – Certificates and secrets management000000messagemessage.log_messagemessage
Update device000000messagemessage.log_messagemessage
Update policy000000messagemessage.log_messagemessage
Validate000000messagemessage.log_messagemessage
Add member to role111001iamiam.object modifyprivileges assigned
Remove member from role111002iamiam.object modifyprivileges removed
\ No newline at end of file