Microsoft's 365 provides cloud-based office apps like Word, Excel, and others. Microsoft 365 Spotlight for Illuminate works with the Microsoft 365 Log Events Enterprise Plugin to process Microsoft 365 logs by providing normalization and enrichment of common events. The Spotlight comes ready to use with several pre-built dashboard views including Microsoft 365 Overview and tabs for Exchange, Azure Active Directory, and other Microsoft 365 applications.
Supported Version(s)
-
The current Microsoft 365 version supported by Microsoft and the Microsoft 365 Log Events Enterprise Plugin.
Requirements
-
A configured Azure / Microsoft 365 tenant and API keys
-
A configured Microsoft 365 input
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:O365 Messages"
Hint: If this stream does not exist prior to the
activation of this pack then it will be created and configured to route messages to this stream and the
associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes 1 index set definition:
- "Microsoft Office365 Event Log Messages"
Hint: If this index set is already defined, then
nothing will be changed. If this index set does not exist, then it will be created with retention
settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after
installation.
Log Format Example
{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"}
What is Provided
-
Parsing rules to extract Microsoft 365 logs into schema-compatible fields.
-
GIM event type categorization and enforcement fields for supported Microsoft 365 events.
Log Collection
Configuring an Microsoft 365 Input
-
On the Select Input drop-down menu, select the System menu and then choose Inputs.
-
Select Office 365 Log Events from the Select Input drop-down menu.
-
Click Launch New Input.
-
Assign a node or select Global mode.
-
Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your Microsoft 365 tenant.
-
Click Verify Connection & Proceed.
-
Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.
-
Set the polling interval. (Recommended to start with a polling interval of 3 minutes for the System Log API used by the Microsoft 365 Log Events plugin.)
-
This step is optional: Select Store Full Message. (This option consumes additional ingestion volume and storage requirements but may be required for compliance or other reasons.)
-
Save the input settings.
-
If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured Microsoft 365 tenant.
GIM Categorization
GIM categorization is provided for the following messages:
Fields List ▼
| vendor_event_action | gim_event_type_code | gim_event_category | gim_event_class | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|
| FileAccessed | 000000 | message | message.log_message | message | |
| FileAccessedExtended | 000000 | message | message.log_message | message | |
| ComplianceSettingChanged | 000000 | message | message.log_message | message | |
| LockRecord | 000000 | message | message.log_message | message | |
| UnlockRecord | 000000 | message | message.log_message | message | |
| FileCheckedIn | 201000 | file | endpoint | file.modify | file modified |
| FileCheckedOut | 000000 | message | message.log_message | message | |
| FileCopied | 200000 | file | endpoint | file.create | file created |
| FileDeleted | 200100 | file | endpoint | file.delete | file deleted |
| FileDeletedFirstStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FileDeletedSecondStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| RecordDelete | 000000 | message | message.log_message | message | |
| DocumentSensitivityMismatchDetected | 000000 | message | message.log_message | message | |
| FileMalwareDetected | 301000 | detection | detection.host_detection | host_malware_detection | |
| FileCheckOutDiscarded | 000000 | message | message.log_message | message | |
| FileDownloaded | 000000 | message | message.log_message | message | |
| FileModified | 201000 | file | endpoint | file.modify | file modified |
| FileModifiedExtended | 201000 | file | endpoint | file.modify | file modified |
| FileMoved | 201000 | file | endpoint | file.modify | file modified |
| FilePreviewed | 000000 | message | message.log_message | message | |
| SearchQueryPerformed | 000000 | message | message.log_message | message | |
| FileVersionsAllMinorsRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileVersionsAllRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileVersionRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileRenamed | 201000 | file | endpoint | file.modify | file modified |
| FileRestored | 200000 | file | endpoint | file.create | file created |
| FileUploaded | 200000 | file | endpoint | file.create | file created |
| PageViewed | 000000 | message | message.log_message | message | |
| PageViewedExtended | 000000 | message | message.log_message | message | |
| ClientViewSignaled | 000000 | message | message.log_message | message | |
| PagePrefetched | 000000 | message | message.log_message | message | |
| FolderCopied | 200000 | file | endpoint | file.create | file created |
| FolderCreated | 200000 | file | endpoint | file.create | file created |
| FolderDeleted | 200100 | file | endpoint | file.delete | file deleted |
| FolderDeletedFirstStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FolderDeletedSecondStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FolderModified | 201000 | file | endpoint | file.modify | file modified |
| FolderMoved | 201000 | file | endpoint | file.modify | file modified |
| FolderRenamed | 201000 | file | endpoint | file.modify | file modified |
| FolderRestored | 200000 | file | endpoint | file.create | file created |
| ListCreated | 000000 | message | message.log_message | message | |
| ListColumnCreated | 000000 | message | message.log_message | message | |
| ListContentTypeCreated | 000000 | message | message.log_message | message | |
| ListItemCreated | 000000 | message | message.log_message | message | |
| SiteColumnCreated | 000000 | message | message.log_message | message | |
| Site ContentType Created | 000000 | message | message.log_message | message | |
| ListDeleted | 000000 | message | message.log_message | message | |
| List Column Deleted | 000000 | message | message.log_message | message | |
| ListContentTypeDeleted | 000000 | message | message.log_message | message | |
| List Item Deleted | 000000 | message | message.log_message | message | |
| SiteColumnDeleted | 000000 | message | message.log_message | message | |
| SiteContentTypeDeleted | 000000 | message | message.log_message | message | |
| ListItemRecycled | 000000 | message | message.log_message | message | |
| ListRestored | 000000 | message | message.log_message | message | |
| ListItemRestored | 000000 | message | message.log_message | message | |
| ListUpdated | 000000 | message | message.log_message | message | |
| ListColumnUpdated | 000000 | message | message.log_message | message | |
| ListContentTypeUpdated | 000000 | message | message.log_message | message | |
| ListItemUpdated | 000000 | message | message.log_message | message | |
| SiteColumnUpdated | 000000 | message | message.log_message | message | |
| SiteContentTypeUpdated | 000000 | message | message.log_message | message | |
| PermissionLevelAdded | 000000 | message | message.log_message | message | |
| AccessRequestAccepted | 000000 | message | message.log_message | message | |
| SharingInvitationAccepted | 000000 | message | message.log_message | message | |
| SharingInvitationBlocked | 000000 | message | message.log_message | message | |
| AccessRequestCreated | 000000 | message | message.log_message | message | |
| CompanyLinkCreated | 000000 | message | message.log_message | message | |
| AnonymousLinkCreated | 000000 | message | message.log_message | message | |
| SecureLinkCreated | 000000 | message | message.log_message | message | |
| SharingInvitationCreated | 000000 | message | message.log_message | message | |
| SecureLinkDeleted | 000000 | message | message.log_message | message | |
| AccessRequestDenied | 000000 | message | message.log_message | message | |
| CompanyLinkRemoved | 000000 | message | message.log_message | message | |
| AnonymousLinkRemoved | 000000 | message | message.log_message | message | |
| SharingSet | 000000 | message | message.log_message | message | |
| AccessRequestUpdated | 000000 | message | message.log_message | message | |
| AnonymousLinkUpdated | 000000 | message | message.log_message | message | |
| SharingInvitationUpdated | 000000 | message | message.log_message | message | |
| AnonymousLinkUsed | 000000 | message | message.log_message | message | |
| SharingRevoked | 000000 | message | message.log_message | message | |
| CompanyLinkUsed | 000000 | message | message.log_message | message | |
| SecureLinkUsed | 000000 | message | message.log_message | message | |
| AddedToSecureLink | 000000 | message | message.log_message | message | |
| RemovedFromSecureLink | 000000 | message | message.log_message | message | |
| SharingInvitationRevoked | 000000 | message | message.log_message | message | |
| ManagedSyncClientAllowed | 000000 | message | message.log_message | message | |
| UnmanagedSyncClientBlocked | 000000 | message | message.log_message | message | |
| FileSyncDownloadedFull | 000000 | message | message.log_message | message | |
| FileSyncDownloadedPartial | 000000 | message | message.log_message | message | |
| FileSyncUploadedFull | 000000 | message | message.log_message | message | |
| FileSyncUploadedPartial | 000000 | message | message.log_message | message | |
| SiteCollectionAdminAdded | 000000 | message | message.log_message | message | |
| AddedToGroup | 000000 | message | message.log_message | message | |
| PermissionLevelsInheritanceBroken | 000000 | message | message.log_message | message | |
| SharingInheritanceBroken | 000000 | message | message.log_message | message | |
| GroupAdded | 000000 | message | message.log_message | message | |
| GroupRemoved | 000000 | message | message.log_message | message | |
| WebRequestAccessModified | 000000 | message | message.log_message | message | |
| WebMembersCanShareModified | 000000 | message | message.log_message | message | |
| PermissionLevelModified | 000000 | message | message.log_message | message | |
| SitePermissionsModified | 000000 | message | message.log_message | message | |
| PermissionLevelRemoved | 000000 | message | message.log_message | message | |
| SiteCollectionAdminRemoved | 000000 | message | message.log_message | message | |
| RemovedFromGroup | 000000 | message | message.log_message | message | |
| SiteAdminChangeRequest | 000000 | message | message.log_message | message | |
| SharingInheritanceReset | 000000 | message | message.log_message | message | |
| GroupUpdated | 000000 | message | message.log_message | message | |
| AllowedDataLocationAdded | 000000 | message | message.log_message | message | |
| ExemptUserAgentSet | 000000 | message | message.log_message | message | |
| GeoAdminAdded | 000000 | message | message.log_message | message | |
| AllowGroupCreationSet | 000000 | message | message.log_message | message | |
| SiteGeoMoveCancelled | 000000 | message | message.log_message | message | |
| SharingPolicyChanged | 000000 | message | message.log_message | message | |
| DeviceAccessPolicyChanged | 000000 | message | message.log_message | message | |
| CustomizeExemptUsers | 000000 | message | message.log_message | message | |
| NetworkAccessPolicyChanged | 000000 | message | message.log_message | message | |
| SiteGeoMoveCompleted | 000000 | message | message.log_message | message | |
| SendToConnectionAdded | 000000 | message | message.log_message | message | |
| SiteCollectionCreated | 000000 | message | message.log_message | message | |
| HubSiteOrphanHubDeleted | 000000 | message | message.log_message | message | |
| SendToConnectionRemoved | 000000 | message | message.log_message | message | |
| SiteDeleted | 000000 | message | message.log_message | message | |
| PreviewModeEnabledSet | 000000 | message | message.log_message | message | |
| LegacyWorkflowEnabledSet | 000000 | message | message.log_message | message | |
| OfficeOnDemandSet | 000000 | message | message.log_message | message | |
| PeopleResultsScopeSet | 000000 | message | message.log_message | message | |
| NewsFeedEnabledSet | 000000 | message | message.log_message | message | |
| HubSiteJoined | 000000 | message | message.log_message | message | |
| HubSiteRegistered | 000000 | message | message.log_message | message | |
| AllowedDataLocationDeleted | 000000 | message | message.log_message | message | |
| GeoAdminDeleted | 000000 | message | message.log_message | message | |
| SiteRenamed | 000000 | message | message.log_message | message | |
| SiteGeoMoveScheduled | 000000 | message | message.log_message | message | |
| HostSiteSet | 000000 | message | message.log_message | message | |
| GeoQuotaAllocated | 000000 | message | message.log_message | message | |
| HubSiteUnjoined | 000000 | message | message.log_message | message | |
| HubSiteUnregistered | 000000 | message | message.log_message | message | |
| MailItemsAccessed | 000000 | message | message.log_message | message | |
| AddMailboxPermissions | 000000 | message | message.log_message | message | |
| UpdateCalendarDelegation | 000000 | message | message.log_message | message | |
| AddFolderPermissions | 000000 | message | message.log_message | message | |
| Copy | 000000 | message | message.log_message | message | |
| Create | 000000 | message | message.log_message | message | |
| New-InboxRule | 000000 | message | message.log_message | message | |
| SoftDelete | 000000 | message | message.log_message | message | |
| ApplyRecordLabel | 000000 | message | message.log_message | message | |
| Move | 000000 | message | message.log_message | message | |
| MoveToDeletedItems | 000000 | message | message.log_message | message | |
| UpdateFolderPermissions | 000000 | message | message.log_message | message | |
| Set-InboxRule | 000000 | message | message.log_message | message | |
| HardDelete | 000000 | message | message.log_message | message | |
| Remove-MailboxPermission | 000000 | message | message.log_message | message | |
| RemoveFolderPermissions | 000000 | message | message.log_message | message | |
| Send | 130000 | messaging | messaging.email | email sent | |
| SendAs | 130000 | messaging | messaging.email | email sent | |
| SendOnBehalf | 130000 | messaging | messaging.email | email sent | |
| UpdateInboxRules | 000000 | message | message.log_message | message | |
| Update | 000000 | message | message.log_message | message | |
| MailboxLogin | 100000 | authentication | authentication.logon | logon | |
| MailboxLogin | 100500 | authentication | authentication.credential_validation | credential validation | |
| Add user | 110000 | iam | iam.object create | account created | |
| Change user license | 111001 | iam | iam.object modify | privileges assigned | |
| Change user password | 111004 | iam | iam.object modify | password change | |
| Delete user | 110500 | iam | iam.object delete | account deleted | |
| Reset user password | 111004 | iam | iam.object modify | password change | |
| Set force change user password | 000000 | message | message.log_message | message | |
| Set license properties | 111001 | iam | iam.object modify | privileges assigned | |
| Update user | 111000 | iam | iam.object modify | account modified | |
| Add group | 110002 | iam | iam.object create | group created | |
| Add member to group | 111007 | iam | iam.object modify | group member added | |
| Delete group | 110501 | iam | iam.object delete | group deleted | |
| Remove member from group | 111008 | iam | iam.object modify | group member removed | |
| Update group | 111009 | iam | iam.object modify | group properties modified | |
| Add delegation entry | 000000 | message | message.log_message | message | |
| Add service principal | 000000 | message | message.log_message | message | |
| Add service principal credentials | 000000 | message | message.log_message | message | |
| Remove delegation entry | 000000 | message | message.log_message | message | |
| Remove service principal | 000000 | message | message.log_message | message | |
| Remove service principal credentials | 000000 | message | message.log_message | message | |
| Set delegation entry | 000000 | message | message.log_message | message | |
| Add role member to role | 111007 | iam | iam.object modify | group member added | |
| Remove role member from role | 111008 | iam | iam.object modify | group member removed | |
| Set company contact information | 000000 | message | message.log_message | message | |
| Add domain to company | 000000 | message | message.log_message | message | |
| Add partner to company | 000000 | message | message.log_message | message | |
| Remove domain from company | 000000 | message | message.log_message | message | |
| Remove partner from company | 000000 | message | message.log_message | message | |
| Set company information | 000000 | message | message.log_message | message | |
| Set domain authentication | 000000 | message | message.log_message | message | |
| Set federation settings on domain | 000000 | message | message.log_message | message | |
| Set password policy | 000000 | message | message.log_message | message | |
| Set DirSyncEnabled flag on company | 000000 | message | message.log_message | message | |
| Update domain | 000000 | message | message.log_message | message | |
| Verify domain | 000000 | message | message.log_message | message | |
| Verify email verified domain | 000000 | message | message.log_message | message | |
| AccessedOdataLink | 000000 | message | message.log_message | message | |
| CanceledQuery | 000000 | message | message.log_message | message | |
| MeetingExclusionCreated | 000000 | message | message.log_message | message | |
| DeletedResult | 000000 | message | message.log_message | message | |
| DownloadedReport | 000000 | message | message.log_message | message | |
| ExecutedQuery | 000000 | message | message.log_message | message | |
| UpdatedDataAccessSetting | 000000 | message | message.log_message | message | |
| UpdatedPrivacySetting | 000000 | message | message.log_message | message | |
| UploadedOrgData | 000000 | message | message.log_message | message | |
| ViewedExplore | 000000 | message | message.log_message | message | |
| BotAddedToTeam | 000000 | message | message.log_message | message | |
| ChannelAdded | 000000 | message | message.log_message | message | |
| ConnectorAdded | 000000 | message | message.log_message | message | |
| MemberAdded | 000000 | message | message.log_message | message | |
| TabAdded | 000000 | message | message.log_message | message | |
| ChannelSettingChanged | 000000 | message | message.log_message | message | |
| MemberRoleChanged | 000000 | message | message.log_message | message | |
| TeamSettingChanged | 000000 | message | message.log_message | message | |
| TeamCreated | 000000 | message | message.log_message | message | |
| DeletedAllOrganizationApps | 000000 | message | message.log_message | message | |
| AppDeletedFromCatalog | 000000 | message | message.log_message | message | |
| ChannelDeleted | 000000 | message | message.log_message | message | |
| TeamDeleted | 000000 | message | message.log_message | message | |
| AppInstalled | 000000 | message | message.log_message | message | |
| PerformedCardAction | 000000 | message | message.log_message | message | |
| AppPublishedToCatalog | 000000 | message | message.log_message | message | |
| BotRemovedFromTeam | 000000 | message | message.log_message | message | |
| ConnectorRemoved | 000000 | message | message.log_message | message | |
| MemberRemoved | 000000 | message | message.log_message | message | |
| TabRemoved | 000000 | message | message.log_message | message | |
| AppUninstalled | 000000 | message | message.log_message | message | |
| AppUpdatedInCatalog | 000000 | message | message.log_message | message | |
| ConnectorUpdated | 000000 | message | message.log_message | message | |
| TabUpdated | 000000 | message | message.log_message | message | |
| AppUpgraded | 000000 | message | message.log_message | message | |
| TeamsSessionStarted | 000000 | message | message.log_message | message | |
| CaseMemberAdded | 000000 | message | message.log_message | message | |
| SearchUpdated | 000000 | message | message.log_message | message | |
| CaseAdminUpdated | 000000 | message | message.log_message | message | |
| CaseUpdated | 000000 | message | message.log_message | message | |
| CaseMemberUpdated | 000000 | message | message.log_message | message | |
| SearchPermissionUpdated | 000000 | message | message.log_message | message | |
| HoldUpdated | 000000 | message | message.log_message | message | |
| PreviewItemDownloaded | 000000 | message | message.log_message | message | |
| PreviewItemListed | 000000 | message | message.log_message | message | |
| PreviewItemRendered | 000000 | message | message.log_message | message | |
| SearchCreated | 000000 | message | message.log_message | message | |
| CaseAdminAdded | 000000 | message | message.log_message | message | |
| CaseAdded | 000000 | message | message.log_message | message | |
| SearchPermissionCreated | 000000 | message | message.log_message | message | |
| HoldCreated | 000000 | message | message.log_message | message | |
| SearchRemoved | 000000 | message | message.log_message | message | |
| CaseAdminRemoved | 000000 | message | message.log_message | message | |
| CaseRemoved | 000000 | message | message.log_message | message | |
| SearchPermissionRemoved | 000000 | message | message.log_message | message | |
| HoldRemoved | 000000 | message | message.log_message | message | |
| SearchExportDownloaded | 000000 | message | message.log_message | message | |
| SearchPreviewed | 000000 | message | message.log_message | message | |
| SearchResultsPurged | 000000 | message | message.log_message | message | |
| RemovedSearchResultsSentToZoom | 000000 | message | message.log_message | message | |
| RemovedSearchExported | 000000 | message | message.log_message | message | |
| CaseMemberRemoved | 000000 | message | message.log_message | message | |
| RemovedSearchPreviewed | 000000 | message | message.log_message | message | |
| RemovedSearchResultsPurged | 000000 | message | message.log_message | message | |
| SearchReportRemoved | 000000 | message | message.log_message | message | |
| SearchResultsSentToZoom | 000000 | message | message.log_message | message | |
| SearchStarted | 000000 | message | message.log_message | message | |
| SearchExported | 000000 | message | message.log_message | message | |
| SearchReport | 000000 | message | message.log_message | message | |
| SearchStopped | 000000 | message | message.log_message | message | |
| CaseViewed | 000000 | message | message.log_message | message | |
| SearchViewed | 000000 | message | message.log_message | message | |
| ViewedSearchExported | 000000 | message | message.log_message | message | |
| ViewedSearchPreviewed | 000000 | message | message.log_message | message | |
| SoftDeleteSettingsUpdated | 000000 | message | message.log_message | message | |
| NetworkConfigurationUpdated | 000000 | message | message.log_message | message | |
| ProcessProfileFields | 000000 | message | message.log_message | message | |
| SupervisorAdminToggled | 000000 | message | message.log_message | message | |
| NetworkSecurityConfigurationUpdated | 000000 | message | message.log_message | message | |
| FileCreated | 200000 | file | endpoint | file.create | file created |
| GroupCreation | 000000 | message | message.log_message | message | |
| GroupDeletion | 000000 | message | message.log_message | message | |
| MessageDeleted | 000000 | message | message.log_message | message | |
| FileDownloaded----Viva Engage | 000000 | message | message.log_message | message | |
| DataExport | 000000 | message | message.log_message | message | |
| FileShared | 000000 | message | message.log_message | message | |
| NetworkUserSuspended | 000000 | message | message.log_message | message | |
| UserSuspension | 000000 | message | message.log_message | message | |
| FileUpdateDescription | 201000 | file | endpoint | file.modify | file modified |
| FileUpdateName | 201000 | file | endpoint | file.modify | file modified |
| FileVisited | 000000 | message | message.log_message | message | |
| QuarantineDelete | 000000 | message | message.log_message | message | |
| QuarantineExport | 000000 | message | message.log_message | message | |
| QuarantinePreview | 000000 | message | message.log_message | message | |
| QuarantineRelease | 000000 | message | message.log_message | message | |
| QuarantineViewHeader | 000000 | message | message.log_message | message | |
| CreateComment | 000000 | message | message.log_message | message | |
| CreateForm | 000000 | message | message.log_message | message | |
| EditForm | 000000 | message | message.log_message | message | |
| MoveForm | 000000 | message | message.log_message | message | |
| DeleteForm | 000000 | message | message.log_message | message | |
| ViewForm | 000000 | message | message.log_message | message | |
| PreviewForm | 000000 | message | message.log_message | message | |
| ExportForm | 000000 | message | message.log_message | message | |
| AllowShareFormForCopy | 000000 | message | message.log_message | message | |
| DisallowShareFormForCopy | 000000 | message | message.log_message | message | |
| AddFormCoauthor | 000000 | message | message.log_message | message | |
| RemoveFormCoauthor | 000000 | message | message.log_message | message | |
| ViewRuntimeForm | 000000 | message | message.log_message | message | |
| CreateResponse | 000000 | message | message.log_message | message | |
| UpdateResponse | 000000 | message | message.log_message | message | |
| DeleteAllResponses | 000000 | message | message.log_message | message | |
| DeleteResponse | 000000 | message | message.log_message | message | |
| ViewResponses | 000000 | message | message.log_message | message | |
| ViewResponse | 000000 | message | message.log_message | message | |
| GetSummaryLink | 000000 | message | message.log_message | message | |
| DeleteSummaryLink | 000000 | message | message.log_message | message | |
| UpdatePhishingStatus | 000000 | message | message.log_message | message | |
| UpdateUserPhishingStatus | 000000 | message | message.log_message | message | |
| ProInvitation | 000000 | message | message.log_message | message | |
| UpdateFormSetting | 000000 | message | message.log_message | message | |
| UpdateUserSetting | 000000 | message | message.log_message | message | |
| ListForms | 000000 | message | message.log_message | message | |
| SubmitResponse | 000000 | message | message.log_message | message | |
| SensitivityLabelApplied | 000000 | message | message.log_message | message | |
| SensitivityLabelRemoved | 000000 | message | message.log_message | message | |
| FileSensitivityLabelApplied | 000000 | message | message.log_message | message | |
| FileSensitivityLabelChanged | 000000 | message | message.log_message | message | |
| FileSensitivityLabelRemoved | 000000 | message | message.log_message | message | |
| NewRetentionComplianceRule | 000000 | message | message.log_message | message | |
| NewComplianceTag | 000000 | message | message.log_message | message | |
| NewRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| RemoveRetentionComplianceRule | 000000 | message | message.log_message | message | |
| RemoveComplianceTag | 000000 | message | message.log_message | message | |
| RemoveRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| SetRestrictiveRetentionUI | 000000 | message | message.log_message | message | |
| SetRetentionComplianceRule | 000000 | message | message.log_message | message | |
| SetComplianceTag | 000000 | message | message.log_message | message | |
| SetRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| SearchMtpStatus | 000000 | message | message.log_message | message | |
| UserLoggedIn | 100000 | authentication | authentication.logon | logon | |
| UserLoggedIn | 100500 | authentication | authentication.credential_validation | credential validation | |
| Set-Mailbox | 000000 | message | message.log_message | message | |
| Set-MailboxPlan | 000000 | message | message.log_message | message | |
| ListViewed | 000000 | message | message.log_message | message | |
| SearchDataInsightsSubscription | 000000 | message | message.log_message | message | |
| SearchTIKustoClusterInformation | 000000 | message | message.log_message | message | |
| UserLoginFailed | 100000 | authentication | authentication.logon | logon | |
| UserLoginFailed | 100500 | authentication | authentication.credential_validation | credential validation | |
| Set-TransportConfig | 000000 | message | message.log_message | message | |
| ModifyFolderPermissions | 000000 | message | message.log_message | message | |
| Update service principal | 111000 | iam | iam.object modify | account modified | |
| Add owner to group | 111009 | iam | iam.object modify | group properties modified | |
| Add-MailboxPermission | 000000 | message | message.log_message | message | |
| Enable-AddressListPaging | 000000 | message | message.log_message | message | |
| Install-AdminAuditLogConfig | 000000 | message | message.log_message | message | |
| Install-DataClassificationConfig | 000000 | message | message.log_message | message | |
| Install-DefaultSharingPolicy | 000000 | message | message.log_message | message | |
| Install-ResourceConfig | 000000 | message | message.log_message | message | |
| New-ExchangeAssistanceConfig | 000000 | message | message.log_message | message | |
| RemovedFromSiteCollection | 000000 | message | message.log_message | message | |
| Set-AdminAuditLogConfig | 000000 | message | message.log_message | message | |
| Set-ExchangeAssistanceConfig | 000000 | message | message.log_message | message | |
| Set-OwaMailboxPolicy | 000000 | message | message.log_message | message | |
| Set-User | 000000 | message | message.log_message | message | |
| Hard Delete group | 000000 | message | message.log_message | message | |
| Get-CsTeamsUpgradeOverridePolicy | 000000 | message | message.log_message | message | |
| Update StsRefreshTokenValidFrom Timestamp | 000000 | message | message.log_message | message | |
| Remove owner from group | 000000 | message | message.log_message | message | |
| Restore user | 000000 | message | message.log_message | message | |
| FileVersionsAllDeleted | 000000 | message | message.log_message | message | |
| Hard Delete user | 000000 | message | message.log_message | message | |
| FileRecycled | 000000 | message | message.log_message | message | |
| MessageUpdated | 000000 | message | message.log_message | message | |
| SiteCollectionQuotaModified | 000000 | message | message.log_message | message | |
| Remove-UnifiedGroup | 000000 | message | message.log_message | message | |
| Set-RecipientEnforcementProvisioningPolicy | 000000 | message | message.log_message | message | |
| Set-TenantObjectVersion | 000000 | message | message.log_message | message | |
| DlpRuleMatch | 309999 | detection | detection.default | detection_message | |
| DlpInfo | 000000 | message | message.log_message | message | |
| DlpRuleUndo | 000000 | message | message.log_message | message | |
| SiteLocksChanged | 000000 | message | message.log_message | message | |
| AlertTriggered | 309999 | detection | detection.default | detection_message | |
| ArchiveCreated | 200000 | file | endpoint | file.create | file created |
| FileDownloadedFromBrowser | 200000 | file | endpoint | file.create | file created |
| FileRead | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToRemovableMedia | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToClipboard | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToNetworkShare | 201500 | file | endpoint | file.access | file accessed |
| FileArchived | 201500 | file | endpoint | file.access | file accessed |
| FileUploadedToCloud | 201500 | file | endpoint | file.access | file accessed |
| FilePrinted | 201500 | file | endpoint | file.access | file accessed |
| FileCreatedOnRemovableMedia | 200000 | file | endpoint | file.create | file created |
| AccessRequestApproved | 000000 | message | message.log_message | message | |
| Add app role assignment grant to user | 000000 | message | message.log_message | message | |
| Add app role assignment to group | 000000 | message | message.log_message | message | |
| Add application | 000000 | message | message.log_message | message | |
| Add delegated permission grant | 000000 | message | message.log_message | message | |
| Add device | 000000 | message | message.log_message | message | |
| Add owner to application | 000000 | message | message.log_message | message | |
| Add owner to policy | 000000 | message | message.log_message | message | |
| Add owner to service principal | 000000 | message | message.log_message | message | |
| Add policy | 000000 | message | message.log_message | message | |
| Add policy to service principal | 000000 | message | message.log_message | message | |
| Add registered owner to device | 000000 | message | message.log_message | message | |
| Add registered users to device | 000000 | message | message.log_message | message | |
| AddedToSharingLink | 000000 | message | message.log_message | message | |
| AirInvestigationData | 000000 | message | message.log_message | message | |
| AlertEntityGenerated | 000000 | message | message.log_message | message | |
| AlertUpdated | 000000 | message | message.log_message | message | |
| AppDeleted | 000000 | message | message.log_message | message | |
| ApplicationInstallationCompleted | 000000 | message | message.log_message | message | |
| ApplicationInstallationStarted | 000000 | message | message.log_message | message | |
| Authorize | 000000 | message | message.log_message | message | |
| ChatCreated | 000000 | message | message.log_message | message | |
| ChatRetrieved | 000000 | message | message.log_message | message | |
| CreateCloudDatasourceFromKindPath | 000000 | message | message.log_message | message | |
| CreateDataset | 000000 | message | message.log_message | message | |
| CreateTaskFlow | 000000 | message | message.log_message | message | |
| Delete device | 000000 | message | message.log_message | message | |
| Device no longer compliant | 000000 | message | message.log_message | message | |
| Device no longer managed | 000000 | message | message.log_message | message | |
| EvaluateDataSourcesAgainstTenantDlpPolicies | 000000 | message | message.log_message | message | |
| FileTimelineMetadataAccessed | 000000 | message | message.log_message | message | |
| FileTranscriptContentAccessed | 000000 | message | message.log_message | message | |
| FolderRecycled | 000000 | message | message.log_message | message | |
| GATFRTokenIssue | 000000 | message | message.log_message | message | |
| GetAllGatewayClusterDatasources | 000000 | message | message.log_message | message | |
| Get-AutoSensitivityLabelPolicy | 000000 | message | message.log_message | message | |
| GetDatasourceDetailsWithCredentialsAsync | 000000 | message | message.log_message | message | |
| Get-DlpCompliancePolicy | 000000 | message | message.log_message | message | |
| Get-LabelPolicy | 000000 | message | message.log_message | message | |
| Get-PolicyConfig | 000000 | message | message.log_message | message | |
| GetPowerBIDataModel | 000000 | message | message.log_message | message | |
| InitiateCloudOAuthLogin | 000000 | message | message.log_message | message | |
| LinkedEntityUpdated | 000000 | message | message.log_message | message | |
| ListItemDeleted | 000000 | message | message.log_message | message | |
| LiveResponseGetFile | 000000 | message | message.log_message | message | |
| MDCAssessments | 000000 | message | message.log_message | message | |
| MDCRegulatoryComplianceAssessments | 000000 | message | message.log_message | message | |
| MeetingDetail | 000000 | message | message.log_message | message | |
| MeetingParticipantDetail | 000000 | message | message.log_message | message | |
| MessageCreatedHasLink | 000000 | message | message.log_message | message | |
| MessageCreatedNotification | 000000 | message | message.log_message | message | |
| MessageEditedHasLink | 000000 | message | message.log_message | message | |
| MessageReadReceiptReceived | 000000 | message | message.log_message | message | |
| MessageSent | 000000 | message | message.log_message | message | |
| MipLabel | 000000 | message | message.log_message | message | |
| New-App | 000000 | message | message.log_message | message | |
| New-Mailbox | 000000 | message | message.log_message | message | |
| PastedToBrowser | 000000 | message | message.log_message | message | |
| ReactedToMessage | 000000 | message | message.log_message | message | |
| RefreshDataset | 000000 | message | message.log_message | message | |
| RemovableMediaMount | 000000 | message | message.log_message | message | |
| RemovableMediaUnmount | 000000 | message | message.log_message | message | |
| Remove app role assignment from user | 000000 | message | message.log_message | message | |
| RunLiveResponseSession | 000000 | message | message.log_message | message | |
| Search | 000000 | message | message.log_message | message | |
| SecurityRoleUpdated | 000000 | message | message.log_message | message | |
| SensitivityLabeledFileOpened | 000000 | message | message.log_message | message | |
| SensitivityLabeledFileRenamed | 000000 | message | message.log_message | message | |
| SensitivityLabelPolicyMatched | 000000 | message | message.log_message | message | |
| SensitivityLabelUpdated | 000000 | message | message.log_message | message | |
| Set-ConditionalAccessPolicy | 000000 | message | message.log_message | message | |
| SharingLinkCreated | 000000 | message | message.log_message | message | |
| SharingLinkDeleted | 000000 | message | message.log_message | message | |
| SharingLinkUpdated | 000000 | message | message.log_message | message | |
| SharingLinkUsed | 000000 | message | message.log_message | message | |
| ShortcutAdded | 000000 | message | message.log_message | message | |
| SignInEvent | 000000 | message | message.log_message | message | |
| TagApplied | 000000 | message | message.log_message | message | |
| TaskCreated | 000000 | message | message.log_message | message | |
| TaskUpdated | 000000 | message | message.log_message | message | |
| TeamsMeetingRecordingUploaded | 000000 | message | message.log_message | message | |
| TIMailData | 000000 | message | message.log_message | message | |
| Update application | 000000 | message | message.log_message | message | |
| Update application – Certificates and secrets management | 000000 | message | message.log_message | message | |
| Update device | 000000 | message | message.log_message | message | |
| Update policy | 000000 | message | message.log_message | message | |
| Validate | 000000 | message | message.log_message | message | |
| Add member to role | 111001 | iam | iam.object modify | privileges assigned | |
| Remove member from role | 111002 | iam | iam.object modify | privileges removed |
