Microsoft Office 365 provides cloud-based office apps like Word, Excel, and others. Microsoft Office 365 Spotlight for Graylog Illuminate works with the Office 365 Log Events Enterprise Plugin to process Microsoft 365 logs by providing normalization and enrichment of common events. The Spotlight comes ready to use with several pre-built dashboard views including an Overview tab and tabs for Exchange, Azure Active Directory, and other Microsoft 365 applications.
Supported Version(s)
-
Current version of Microsoft 365 as supported by Microsoft and the Graylog Office 365 Log Events Enterprise Plugin
Requirements
-
A configured Azure/Microsoft 365 tenant and API keys
-
A configured Graylog Office 365 input (see Configuring an Office 365 Input below)
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:O365 Messages"
Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes 1 index set definition:
- "Microsoft Office365 Event Log Messages"
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
Log Format Example
{"CreationTime":"2021-10-03T00:14:46","Id":"bee3fdad-4243-8f3b-f234-15c294843741","Operation":"SearchMtpStatus","OrganizationId":"bee3fdad-4243-8f3b-f234-15c294843742","RecordType":52,"UserKey":"NOT-FOUND","UserType":5,"Version":1,"Workload":"SecurityComplianceCenter","UserId":"NOT-FOUND","AadAppId":"bee3fdad-4243-8f3b-f234-15c294843740","DataType":"MtpStatus","DatabaseType":"DataInsights","RelativeUrl":"/DataInsights/DataInsightsService.svc/Find/MtpStatus?tenantid=bee3fdad-4243-8f3b-f234-15c294843743","ResultCount":"1"}
What is Provided
-
Parsing rules to extract Microsoft 365 logs into Graylog schema compatible fields.
-
Dashboards.
-
Data lookup tables to assist in normalizing Microsoft 365 log messages into the Graylog schema.
Log Collection
Configuring an Office 365 Input
-
Navigate to System > Inputs.
-
Select Office 365 Log Events from the Select Input dropdown.
-
Click Launch new input.
-
Assign a node or select Global mode.
-
Set the Title, Directory (tenant) ID, Application (client) ID, Client Secret, and Subscription Type to correct values for your Microsoft 365 tenant.
-
Click Verify Connection & Proceed.
-
Specify the desired Content Types. Options include: AZURE_ACTIVE_DIRECTORY, SHAREPOINT, EXCHANGE, GENERAL, and DLP_ALL.
-
Set the polling interval. (Graylog recommends starting with a polling interval of 3 minutes for the System Log API used by the Graylog O365 Log Events plugin.)
-
(Optional) Select Store Full Message. (This option consumes additional Graylog ingestion volume and storage requirements but could be required for compliance or other reasons.)
-
Save the input settings.
-
If the input does not start automatically, select Start Input to begin retrieving and processing messages from the configured Microsoft 365 tenant.
GIM Categorization
GIM categorization is provided for the following messages:
| vendor_event_action | gim_event_type_code | gim_event_category | gim_event_class | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|
| FileAccessed | 000000 | message | message.log_message | message | |
| FileAccessedExtended | 000000 | message | message.log_message | message | |
| ComplianceSettingChanged | 000000 | message | message.log_message | message | |
| LockRecord | 000000 | message | message.log_message | message | |
| UnlockRecord | 000000 | message | message.log_message | message | |
| FileCheckedIn | 201000 | file | endpoint | file.modify | file modified |
| FileCheckedOut | 000000 | message | message.log_message | message | |
| FileCopied | 200000 | file | endpoint | file.create | file created |
| FileDeleted | 200100 | file | endpoint | file.delete | file deleted |
| FileDeletedFirstStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FileDeletedSecondStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| RecordDelete | 000000 | message | message.log_message | message | |
| DocumentSensitivityMismatchDetected | 000000 | message | message.log_message | message | |
| FileMalwareDetected | 301000 | detection | detection.host_detection | host_malware_detection | |
| FileCheckOutDiscarded | 000000 | message | message.log_message | message | |
| FileDownloaded | 000000 | message | message.log_message | message | |
| FileModified | 201000 | file | endpoint | file.modify | file modified |
| FileModifiedExtended | 201000 | file | endpoint | file.modify | file modified |
| FileMoved | 201000 | file | endpoint | file.modify | file modified |
| FilePreviewed | 000000 | message | message.log_message | message | |
| SearchQueryPerformed | 000000 | message | message.log_message | message | |
| FileVersionsAllMinorsRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileVersionsAllRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileVersionRecycled | 200100 | file | endpoint | file.delete | file deleted |
| FileRenamed | 201000 | file | endpoint | file.modify | file modified |
| FileRestored | 200000 | file | endpoint | file.create | file created |
| FileUploaded | 200000 | file | endpoint | file.create | file created |
| PageViewed | 000000 | message | message.log_message | message | |
| PageViewedExtended | 000000 | message | message.log_message | message | |
| ClientViewSignaled | 000000 | message | message.log_message | message | |
| PagePrefetched | 000000 | message | message.log_message | message | |
| FolderCopied | 200000 | file | endpoint | file.create | file created |
| FolderCreated | 200000 | file | endpoint | file.create | file created |
| FolderDeleted | 200100 | file | endpoint | file.delete | file deleted |
| FolderDeletedFirstStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FolderDeletedSecondStageRecycleBin | 200100 | file | endpoint | file.delete | file deleted |
| FolderModified | 201000 | file | endpoint | file.modify | file modified |
| FolderMoved | 201000 | file | endpoint | file.modify | file modified |
| FolderRenamed | 201000 | file | endpoint | file.modify | file modified |
| FolderRestored | 200000 | file | endpoint | file.create | file created |
| ListCreated | 000000 | message | message.log_message | message | |
| ListColumnCreated | 000000 | message | message.log_message | message | |
| ListContentTypeCreated | 000000 | message | message.log_message | message | |
| ListItemCreated | 000000 | message | message.log_message | message | |
| SiteColumnCreated | 000000 | message | message.log_message | message | |
| Site ContentType Created | 000000 | message | message.log_message | message | |
| ListDeleted | 000000 | message | message.log_message | message | |
| List Column Deleted | 000000 | message | message.log_message | message | |
| ListContentTypeDeleted | 000000 | message | message.log_message | message | |
| List Item Deleted | 000000 | message | message.log_message | message | |
| SiteColumnDeleted | 000000 | message | message.log_message | message | |
| SiteContentTypeDeleted | 000000 | message | message.log_message | message | |
| ListItemRecycled | 000000 | message | message.log_message | message | |
| ListRestored | 000000 | message | message.log_message | message | |
| ListItemRestored | 000000 | message | message.log_message | message | |
| ListUpdated | 000000 | message | message.log_message | message | |
| ListColumnUpdated | 000000 | message | message.log_message | message | |
| ListContentTypeUpdated | 000000 | message | message.log_message | message | |
| ListItemUpdated | 000000 | message | message.log_message | message | |
| SiteColumnUpdated | 000000 | message | message.log_message | message | |
| SiteContentTypeUpdated | 000000 | message | message.log_message | message | |
| PermissionLevelAdded | 000000 | message | message.log_message | message | |
| AccessRequestAccepted | 000000 | message | message.log_message | message | |
| SharingInvitationAccepted | 000000 | message | message.log_message | message | |
| SharingInvitationBlocked | 000000 | message | message.log_message | message | |
| AccessRequestCreated | 000000 | message | message.log_message | message | |
| CompanyLinkCreated | 000000 | message | message.log_message | message | |
| AnonymousLinkCreated | 000000 | message | message.log_message | message | |
| SecureLinkCreated | 000000 | message | message.log_message | message | |
| SharingInvitationCreated | 000000 | message | message.log_message | message | |
| SecureLinkDeleted | 000000 | message | message.log_message | message | |
| AccessRequestDenied | 000000 | message | message.log_message | message | |
| CompanyLinkRemoved | 000000 | message | message.log_message | message | |
| AnonymousLinkRemoved | 000000 | message | message.log_message | message | |
| SharingSet | 000000 | message | message.log_message | message | |
| AccessRequestUpdated | 000000 | message | message.log_message | message | |
| AnonymousLinkUpdated | 000000 | message | message.log_message | message | |
| SharingInvitationUpdated | 000000 | message | message.log_message | message | |
| AnonymousLinkUsed | 000000 | message | message.log_message | message | |
| SharingRevoked | 000000 | message | message.log_message | message | |
| CompanyLinkUsed | 000000 | message | message.log_message | message | |
| SecureLinkUsed | 000000 | message | message.log_message | message | |
| AddedToSecureLink | 000000 | message | message.log_message | message | |
| RemovedFromSecureLink | 000000 | message | message.log_message | message | |
| SharingInvitationRevoked | 000000 | message | message.log_message | message | |
| ManagedSyncClientAllowed | 000000 | message | message.log_message | message | |
| UnmanagedSyncClientBlocked | 000000 | message | message.log_message | message | |
| FileSyncDownloadedFull | 000000 | message | message.log_message | message | |
| FileSyncDownloadedPartial | 000000 | message | message.log_message | message | |
| FileSyncUploadedFull | 000000 | message | message.log_message | message | |
| FileSyncUploadedPartial | 000000 | message | message.log_message | message | |
| SiteCollectionAdminAdded | 000000 | message | message.log_message | message | |
| AddedToGroup | 000000 | message | message.log_message | message | |
| PermissionLevelsInheritanceBroken | 000000 | message | message.log_message | message | |
| SharingInheritanceBroken | 000000 | message | message.log_message | message | |
| GroupAdded | 000000 | message | message.log_message | message | |
| GroupRemoved | 000000 | message | message.log_message | message | |
| WebRequestAccessModified | 000000 | message | message.log_message | message | |
| WebMembersCanShareModified | 000000 | message | message.log_message | message | |
| PermissionLevelModified | 000000 | message | message.log_message | message | |
| SitePermissionsModified | 000000 | message | message.log_message | message | |
| PermissionLevelRemoved | 000000 | message | message.log_message | message | |
| SiteCollectionAdminRemoved | 000000 | message | message.log_message | message | |
| RemovedFromGroup | 000000 | message | message.log_message | message | |
| SiteAdminChangeRequest | 000000 | message | message.log_message | message | |
| SharingInheritanceReset | 000000 | message | message.log_message | message | |
| GroupUpdated | 000000 | message | message.log_message | message | |
| AllowedDataLocationAdded | 000000 | message | message.log_message | message | |
| ExemptUserAgentSet | 000000 | message | message.log_message | message | |
| GeoAdminAdded | 000000 | message | message.log_message | message | |
| AllowGroupCreationSet | 000000 | message | message.log_message | message | |
| SiteGeoMoveCancelled | 000000 | message | message.log_message | message | |
| SharingPolicyChanged | 000000 | message | message.log_message | message | |
| DeviceAccessPolicyChanged | 000000 | message | message.log_message | message | |
| CustomizeExemptUsers | 000000 | message | message.log_message | message | |
| NetworkAccessPolicyChanged | 000000 | message | message.log_message | message | |
| SiteGeoMoveCompleted | 000000 | message | message.log_message | message | |
| SendToConnectionAdded | 000000 | message | message.log_message | message | |
| SiteCollectionCreated | 000000 | message | message.log_message | message | |
| HubSiteOrphanHubDeleted | 000000 | message | message.log_message | message | |
| SendToConnectionRemoved | 000000 | message | message.log_message | message | |
| SiteDeleted | 000000 | message | message.log_message | message | |
| PreviewModeEnabledSet | 000000 | message | message.log_message | message | |
| LegacyWorkflowEnabledSet | 000000 | message | message.log_message | message | |
| OfficeOnDemandSet | 000000 | message | message.log_message | message | |
| PeopleResultsScopeSet | 000000 | message | message.log_message | message | |
| NewsFeedEnabledSet | 000000 | message | message.log_message | message | |
| HubSiteJoined | 000000 | message | message.log_message | message | |
| HubSiteRegistered | 000000 | message | message.log_message | message | |
| AllowedDataLocationDeleted | 000000 | message | message.log_message | message | |
| GeoAdminDeleted | 000000 | message | message.log_message | message | |
| SiteRenamed | 000000 | message | message.log_message | message | |
| SiteGeoMoveScheduled | 000000 | message | message.log_message | message | |
| HostSiteSet | 000000 | message | message.log_message | message | |
| GeoQuotaAllocated | 000000 | message | message.log_message | message | |
| HubSiteUnjoined | 000000 | message | message.log_message | message | |
| HubSiteUnregistered | 000000 | message | message.log_message | message | |
| MailItemsAccessed | 000000 | message | message.log_message | message | |
| AddMailboxPermissions | 000000 | message | message.log_message | message | |
| UpdateCalendarDelegation | 000000 | message | message.log_message | message | |
| AddFolderPermissions | 000000 | message | message.log_message | message | |
| Copy | 000000 | message | message.log_message | message | |
| Create | 000000 | message | message.log_message | message | |
| New-InboxRule | 000000 | message | message.log_message | message | |
| SoftDelete | 000000 | message | message.log_message | message | |
| ApplyRecordLabel | 000000 | message | message.log_message | message | |
| Move | 000000 | message | message.log_message | message | |
| MoveToDeletedItems | 000000 | message | message.log_message | message | |
| UpdateFolderPermissions | 000000 | message | message.log_message | message | |
| Set-InboxRule | 000000 | message | message.log_message | message | |
| HardDelete | 000000 | message | message.log_message | message | |
| Remove-MailboxPermission | 000000 | message | message.log_message | message | |
| RemoveFolderPermissions | 000000 | message | message.log_message | message | |
| Send | 130000 | messaging | messaging.email | email sent | |
| SendAs | 130000 | messaging | messaging.email | email sent | |
| SendOnBehalf | 130000 | messaging | messaging.email | email sent | |
| UpdateInboxRules | 000000 | message | message.log_message | message | |
| Update | 000000 | message | message.log_message | message | |
| MailboxLogin | 100000 | authentication | authentication.logon | logon | |
| Add user | 110000 | iam | iam.object create | account created | |
| Change user license | 111001 | iam | iam.object modify | privileges assigned | |
| Change user password | 111004 | iam | iam.object modify | password change | |
| Delete user | 110500 | iam | iam.object delete | account deleted | |
| Reset user password | 111004 | iam | iam.object modify | password change | |
| Set force change user password | 000000 | message | message.log_message | message | |
| Set license properties | 111001 | iam | iam.object modify | privileges assigned | |
| Update user | 111000 | iam | iam.object modify | account modified | |
| Add group | 110002 | iam | iam.object create | group created | |
| Add member to group | 111007 | iam | iam.object modify | group member added | |
| Delete group | 110501 | iam | iam.object delete | group deleted | |
| Remove member from group | 111008 | iam | iam.object modify | group member removed | |
| Update group | 111009 | iam | iam.object modify | group properties modified | |
| Add delegation entry | 000000 | message | message.log_message | message | |
| Add service principal | 000000 | message | message.log_message | message | |
| Add service principal credentials | 000000 | message | message.log_message | message | |
| Remove delegation entry | 000000 | message | message.log_message | message | |
| Remove service principal | 000000 | message | message.log_message | message | |
| Remove service principal credentials | 000000 | message | message.log_message | message | |
| Set delegation entry | 000000 | message | message.log_message | message | |
| Add role member to role | 111007 | iam | iam.object modify | group member added | |
| Remove role member from role | 111008 | iam | iam.object modify | group member removed | |
| Set company contact information | 000000 | message | message.log_message | message | |
| Add domain to company | 000000 | message | message.log_message | message | |
| Add partner to company | 000000 | message | message.log_message | message | |
| Remove domain from company | 000000 | message | message.log_message | message | |
| Remove partner from company | 000000 | message | message.log_message | message | |
| Set company information | 000000 | message | message.log_message | message | |
| Set domain authentication | 000000 | message | message.log_message | message | |
| Set federation settings on domain | 000000 | message | message.log_message | message | |
| Set password policy | 000000 | message | message.log_message | message | |
| Set DirSyncEnabled flag on company | 000000 | message | message.log_message | message | |
| Update domain | 000000 | message | message.log_message | message | |
| Verify domain | 000000 | message | message.log_message | message | |
| Verify email verified domain | 000000 | message | message.log_message | message | |
| AccessedOdataLink | 000000 | message | message.log_message | message | |
| CanceledQuery | 000000 | message | message.log_message | message | |
| MeetingExclusionCreated | 000000 | message | message.log_message | message | |
| DeletedResult | 000000 | message | message.log_message | message | |
| DownloadedReport | 000000 | message | message.log_message | message | |
| ExecutedQuery | 000000 | message | message.log_message | message | |
| UpdatedDataAccessSetting | 000000 | message | message.log_message | message | |
| UpdatedPrivacySetting | 000000 | message | message.log_message | message | |
| UploadedOrgData | 000000 | message | message.log_message | message | |
| ViewedExplore | 000000 | message | message.log_message | message | |
| BotAddedToTeam | 000000 | message | message.log_message | message | |
| ChannelAdded | 000000 | message | message.log_message | message | |
| ConnectorAdded | 000000 | message | message.log_message | message | |
| MemberAdded | 000000 | message | message.log_message | message | |
| TabAdded | 000000 | message | message.log_message | message | |
| ChannelSettingChanged | 000000 | message | message.log_message | message | |
| MemberRoleChanged | 000000 | message | message.log_message | message | |
| TeamSettingChanged | 000000 | message | message.log_message | message | |
| TeamCreated | 000000 | message | message.log_message | message | |
| DeletedAllOrganizationApps | 000000 | message | message.log_message | message | |
| AppDeletedFromCatalog | 000000 | message | message.log_message | message | |
| ChannelDeleted | 000000 | message | message.log_message | message | |
| TeamDeleted | 000000 | message | message.log_message | message | |
| AppInstalled | 000000 | message | message.log_message | message | |
| PerformedCardAction | 000000 | message | message.log_message | message | |
| AppPublishedToCatalog | 000000 | message | message.log_message | message | |
| BotRemovedFromTeam | 000000 | message | message.log_message | message | |
| ConnectorRemoved | 000000 | message | message.log_message | message | |
| MemberRemoved | 000000 | message | message.log_message | message | |
| TabRemoved | 000000 | message | message.log_message | message | |
| AppUninstalled | 000000 | message | message.log_message | message | |
| AppUpdatedInCatalog | 000000 | message | message.log_message | message | |
| ConnectorUpdated | 000000 | message | message.log_message | message | |
| TabUpdated | 000000 | message | message.log_message | message | |
| AppUpgraded | 000000 | message | message.log_message | message | |
| TeamsSessionStarted | 000000 | message | message.log_message | message | |
| CaseMemberAdded | 000000 | message | message.log_message | message | |
| SearchUpdated | 000000 | message | message.log_message | message | |
| CaseAdminUpdated | 000000 | message | message.log_message | message | |
| CaseUpdated | 000000 | message | message.log_message | message | |
| CaseMemberUpdated | 000000 | message | message.log_message | message | |
| SearchPermissionUpdated | 000000 | message | message.log_message | message | |
| HoldUpdated | 000000 | message | message.log_message | message | |
| PreviewItemDownloaded | 000000 | message | message.log_message | message | |
| PreviewItemListed | 000000 | message | message.log_message | message | |
| PreviewItemRendered | 000000 | message | message.log_message | message | |
| SearchCreated | 000000 | message | message.log_message | message | |
| CaseAdminAdded | 000000 | message | message.log_message | message | |
| CaseAdded | 000000 | message | message.log_message | message | |
| SearchPermissionCreated | 000000 | message | message.log_message | message | |
| HoldCreated | 000000 | message | message.log_message | message | |
| SearchRemoved | 000000 | message | message.log_message | message | |
| CaseAdminRemoved | 000000 | message | message.log_message | message | |
| CaseRemoved | 000000 | message | message.log_message | message | |
| SearchPermissionRemoved | 000000 | message | message.log_message | message | |
| HoldRemoved | 000000 | message | message.log_message | message | |
| SearchExportDownloaded | 000000 | message | message.log_message | message | |
| SearchPreviewed | 000000 | message | message.log_message | message | |
| SearchResultsPurged | 000000 | message | message.log_message | message | |
| RemovedSearchResultsSentToZoom | 000000 | message | message.log_message | message | |
| RemovedSearchExported | 000000 | message | message.log_message | message | |
| CaseMemberRemoved | 000000 | message | message.log_message | message | |
| RemovedSearchPreviewed | 000000 | message | message.log_message | message | |
| RemovedSearchResultsPurged | 000000 | message | message.log_message | message | |
| SearchReportRemoved | 000000 | message | message.log_message | message | |
| SearchResultsSentToZoom | 000000 | message | message.log_message | message | |
| SearchStarted | 000000 | message | message.log_message | message | |
| SearchExported | 000000 | message | message.log_message | message | |
| SearchReport | 000000 | message | message.log_message | message | |
| SearchStopped | 000000 | message | message.log_message | message | |
| CaseViewed | 000000 | message | message.log_message | message | |
| SearchViewed | 000000 | message | message.log_message | message | |
| ViewedSearchExported | 000000 | message | message.log_message | message | |
| ViewedSearchPreviewed | 000000 | message | message.log_message | message | |
| SoftDeleteSettingsUpdated | 000000 | message | message.log_message | message | |
| NetworkConfigurationUpdated | 000000 | message | message.log_message | message | |
| ProcessProfileFields | 000000 | message | message.log_message | message | |
| SupervisorAdminToggled | 000000 | message | message.log_message | message | |
| NetworkSecurityConfigurationUpdated | 000000 | message | message.log_message | message | |
| FileCreated | 200000 | file | endpoint | file.create | file created |
| GroupCreation | 000000 | message | message.log_message | message | |
| GroupDeletion | 000000 | message | message.log_message | message | |
| MessageDeleted | 000000 | message | message.log_message | message | |
| FileDownloaded----Viva Engage | 000000 | message | message.log_message | message | |
| DataExport | 000000 | message | message.log_message | message | |
| FileShared | 000000 | message | message.log_message | message | |
| NetworkUserSuspended | 000000 | message | message.log_message | message | |
| UserSuspension | 000000 | message | message.log_message | message | |
| FileUpdateDescription | 201000 | file | endpoint | file.modify | file modified |
| FileUpdateName | 201000 | file | endpoint | file.modify | file modified |
| FileVisited | 000000 | message | message.log_message | message | |
| QuarantineDelete | 000000 | message | message.log_message | message | |
| QuarantineExport | 000000 | message | message.log_message | message | |
| QuarantinePreview | 000000 | message | message.log_message | message | |
| QuarantineRelease | 000000 | message | message.log_message | message | |
| QuarantineViewHeader | 000000 | message | message.log_message | message | |
| CreateComment | 000000 | message | message.log_message | message | |
| CreateForm | 000000 | message | message.log_message | message | |
| EditForm | 000000 | message | message.log_message | message | |
| MoveForm | 000000 | message | message.log_message | message | |
| DeleteForm | 000000 | message | message.log_message | message | |
| ViewForm | 000000 | message | message.log_message | message | |
| PreviewForm | 000000 | message | message.log_message | message | |
| ExportForm | 000000 | message | message.log_message | message | |
| AllowShareFormForCopy | 000000 | message | message.log_message | message | |
| DisallowShareFormForCopy | 000000 | message | message.log_message | message | |
| AddFormCoauthor | 000000 | message | message.log_message | message | |
| RemoveFormCoauthor | 000000 | message | message.log_message | message | |
| ViewRuntimeForm | 000000 | message | message.log_message | message | |
| CreateResponse | 000000 | message | message.log_message | message | |
| UpdateResponse | 000000 | message | message.log_message | message | |
| DeleteAllResponses | 000000 | message | message.log_message | message | |
| DeleteResponse | 000000 | message | message.log_message | message | |
| ViewResponses | 000000 | message | message.log_message | message | |
| ViewResponse | 000000 | message | message.log_message | message | |
| GetSummaryLink | 000000 | message | message.log_message | message | |
| DeleteSummaryLink | 000000 | message | message.log_message | message | |
| UpdatePhishingStatus | 000000 | message | message.log_message | message | |
| UpdateUserPhishingStatus | 000000 | message | message.log_message | message | |
| ProInvitation | 000000 | message | message.log_message | message | |
| UpdateFormSetting | 000000 | message | message.log_message | message | |
| UpdateUserSetting | 000000 | message | message.log_message | message | |
| ListForms | 000000 | message | message.log_message | message | |
| SubmitResponse | 000000 | message | message.log_message | message | |
| SensitivityLabelApplied | 000000 | message | message.log_message | message | |
| SensitivityLabelRemoved | 000000 | message | message.log_message | message | |
| FileSensitivityLabelApplied | 000000 | message | message.log_message | message | |
| FileSensitivityLabelChanged | 000000 | message | message.log_message | message | |
| FileSensitivityLabelRemoved | 000000 | message | message.log_message | message | |
| NewRetentionComplianceRule | 000000 | message | message.log_message | message | |
| NewComplianceTag | 000000 | message | message.log_message | message | |
| NewRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| RemoveRetentionComplianceRule | 000000 | message | message.log_message | message | |
| RemoveComplianceTag | 000000 | message | message.log_message | message | |
| RemoveRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| SetRestrictiveRetentionUI | 000000 | message | message.log_message | message | |
| SetRetentionComplianceRule | 000000 | message | message.log_message | message | |
| SetComplianceTag | 000000 | message | message.log_message | message | |
| SetRetentionCompliancePolicy | 000000 | message | message.log_message | message | |
| SearchMtpStatus | 000000 | message | message.log_message | message | |
| UserLoggedIn | 100000 | authentication | authentication.logon | logon | |
| Set-Mailbox | 000000 | message | message.log_message | message | |
| Set-MailboxPlan | 000000 | message | message.log_message | message | |
| ListViewed | 000000 | message | message.log_message | message | |
| SearchDataInsightsSubscription | 000000 | message | message.log_message | message | |
| SearchTIKustoClusterInformation | 000000 | message | message.log_message | message | |
| UserLoginFailed | 100000 | authentication | authentication.logon | logon | |
| Set-TransportConfig | 000000 | message | message.log_message | message | |
| ModifyFolderPermissions | 000000 | message | message.log_message | message | |
| Update service principal | 111000 | iam | iam.object modify | account modified | |
| Add owner to group | 111009 | iam | iam.object modify | group properties modified | |
| Add-MailboxPermission | 000000 | message | message.log_message | message | |
| Enable-AddressListPaging | 000000 | message | message.log_message | message | |
| Install-AdminAuditLogConfig | 000000 | message | message.log_message | message | |
| Install-DataClassificationConfig | 000000 | message | message.log_message | message | |
| Install-DefaultSharingPolicy | 000000 | message | message.log_message | message | |
| Install-ResourceConfig | 000000 | message | message.log_message | message | |
| New-ExchangeAssistanceConfig | 000000 | message | message.log_message | message | |
| RemovedFromSiteCollection | 000000 | message | message.log_message | message | |
| Set-AdminAuditLogConfig | 000000 | message | message.log_message | message | |
| Set-ExchangeAssistanceConfig | 000000 | message | message.log_message | message | |
| Set-OwaMailboxPolicy | 000000 | message | message.log_message | message | |
| Set-User | 000000 | message | message.log_message | message | |
| Hard Delete group | 000000 | message | message.log_message | message | |
| Get-CsTeamsUpgradeOverridePolicy | 000000 | message | message.log_message | message | |
| Update StsRefreshTokenValidFrom Timestamp | 000000 | message | message.log_message | message | |
| Remove owner from group | 000000 | message | message.log_message | message | |
| Restore user | 000000 | message | message.log_message | message | |
| FileVersionsAllDeleted | 000000 | message | message.log_message | message | |
| Hard Delete user | 000000 | message | message.log_message | message | |
| FileRecycled | 000000 | message | message.log_message | message | |
| MessageUpdated | 000000 | message | message.log_message | message | |
| SiteCollectionQuotaModified | 000000 | message | message.log_message | message | |
| Remove-UnifiedGroup | 000000 | message | message.log_message | message | |
| Set-RecipientEnforcementProvisioningPolicy | 000000 | message | message.log_message | message | |
| Set-TenantObjectVersion | 000000 | message | message.log_message | message | |
| DlpRuleMatch | 309999 | detection | detection.default | detection_message | |
| DlpInfo | 000000 | message | message.log_message | message | |
| DlpRuleUndo | 000000 | message | message.log_message | message | |
| SiteLocksChanged | 000000 | message | message.log_message | message | |
| AlertTriggered | 309999 | detection | detection.default | detection_message | |
| ArchiveCreated | 200000 | file | endpoint | file.create | file created |
| FileDownloadedFromBrowser | 200000 | file | endpoint | file.create | file created |
| FileRead | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToRemovableMedia | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToClipboard | 201500 | file | endpoint | file.access | file accessed |
| FileCopiedToNetworkShare | 201500 | file | endpoint | file.access | file accessed |
| FileArchived | 201500 | file | endpoint | file.access | file accessed |
| FileUploadedToCloud | 201500 | file | endpoint | file.access | file accessed |
| FilePrinted | 201500 | file | endpoint | file.access | file accessed |
| FileCreatedOnRemovableMedia | 200000 | file | endpoint | file.create | file created |
| AccessRequestApproved | 000000 | message | message.log_message | message | |
| Add app role assignment grant to user | 000000 | message | message.log_message | message | |
| Add app role assignment to group | 000000 | message | message.log_message | message | |
| Add application | 000000 | message | message.log_message | message | |
| Add delegated permission grant | 000000 | message | message.log_message | message | |
| Add device | 000000 | message | message.log_message | message | |
| Add owner to application | 000000 | message | message.log_message | message | |
| Add owner to policy | 000000 | message | message.log_message | message | |
| Add owner to service principal | 000000 | message | message.log_message | message | |
| Add policy | 000000 | message | message.log_message | message | |
| Add policy to service principal | 000000 | message | message.log_message | message | |
| Add registered owner to device | 000000 | message | message.log_message | message | |
| Add registered users to device | 000000 | message | message.log_message | message | |
| AddedToSharingLink | 000000 | message | message.log_message | message | |
| AirInvestigationData | 000000 | message | message.log_message | message | |
| AlertEntityGenerated | 000000 | message | message.log_message | message | |
| AlertUpdated | 000000 | message | message.log_message | message | |
| AppDeleted | 000000 | message | message.log_message | message | |
| ApplicationInstallationCompleted | 000000 | message | message.log_message | message | |
| ApplicationInstallationStarted | 000000 | message | message.log_message | message | |
| Authorize | 000000 | message | message.log_message | message | |
| ChatCreated | 000000 | message | message.log_message | message | |
| ChatRetrieved | 000000 | message | message.log_message | message | |
| CreateCloudDatasourceFromKindPath | 000000 | message | message.log_message | message | |
| CreateDataset | 000000 | message | message.log_message | message | |
| CreateTaskFlow | 000000 | message | message.log_message | message | |
| Delete device | 000000 | message | message.log_message | message | |
| Device no longer compliant | 000000 | message | message.log_message | message | |
| Device no longer managed | 000000 | message | message.log_message | message | |
| EvaluateDataSourcesAgainstTenantDlpPolicies | 000000 | message | message.log_message | message | |
| FileTimelineMetadataAccessed | 000000 | message | message.log_message | message | |
| FileTranscriptContentAccessed | 000000 | message | message.log_message | message | |
| FolderRecycled | 000000 | message | message.log_message | message | |
| GATFRTokenIssue | 000000 | message | message.log_message | message | |
| GetAllGatewayClusterDatasources | 000000 | message | message.log_message | message | |
| Get-AutoSensitivityLabelPolicy | 000000 | message | message.log_message | message | |
| GetDatasourceDetailsWithCredentialsAsync | 000000 | message | message.log_message | message | |
| Get-DlpCompliancePolicy | 000000 | message | message.log_message | message | |
| Get-LabelPolicy | 000000 | message | message.log_message | message | |
| Get-PolicyConfig | 000000 | message | message.log_message | message | |
| GetPowerBIDataModel | 000000 | message | message.log_message | message | |
| InitiateCloudOAuthLogin | 000000 | message | message.log_message | message | |
| LinkedEntityUpdated | 000000 | message | message.log_message | message | |
| ListItemDeleted | 000000 | message | message.log_message | message | |
| LiveResponseGetFile | 000000 | message | message.log_message | message | |
| MDCAssessments | 000000 | message | message.log_message | message | |
| MDCRegulatoryComplianceAssessments | 000000 | message | message.log_message | message | |
| MeetingDetail | 000000 | message | message.log_message | message | |
| MeetingParticipantDetail | 000000 | message | message.log_message | message | |
| MessageCreatedHasLink | 000000 | message | message.log_message | message | |
| MessageCreatedNotification | 000000 | message | message.log_message | message | |
| MessageEditedHasLink | 000000 | message | message.log_message | message | |
| MessageReadReceiptReceived | 000000 | message | message.log_message | message | |
| MessageSent | 000000 | message | message.log_message | message | |
| MipLabel | 000000 | message | message.log_message | message | |
| New-App | 000000 | message | message.log_message | message | |
| New-Mailbox | 000000 | message | message.log_message | message | |
| PastedToBrowser | 000000 | message | message.log_message | message | |
| ReactedToMessage | 000000 | message | message.log_message | message | |
| RefreshDataset | 000000 | message | message.log_message | message | |
| RemovableMediaMount | 000000 | message | message.log_message | message | |
| RemovableMediaUnmount | 000000 | message | message.log_message | message | |
| Remove app role assignment from user | 000000 | message | message.log_message | message | |
| RunLiveResponseSession | 000000 | message | message.log_message | message | |
| Search | 000000 | message | message.log_message | message | |
| SecurityRoleUpdated | 000000 | message | message.log_message | message | |
| SensitivityLabeledFileOpened | 000000 | message | message.log_message | message | |
| SensitivityLabeledFileRenamed | 000000 | message | message.log_message | message | |
| SensitivityLabelPolicyMatched | 000000 | message | message.log_message | message | |
| SensitivityLabelUpdated | 000000 | message | message.log_message | message | |
| Set-ConditionalAccessPolicy | 000000 | message | message.log_message | message | |
| SharingLinkCreated | 000000 | message | message.log_message | message | |
| SharingLinkDeleted | 000000 | message | message.log_message | message | |
| SharingLinkUpdated | 000000 | message | message.log_message | message | |
| SharingLinkUsed | 000000 | message | message.log_message | message | |
| ShortcutAdded | 000000 | message | message.log_message | message | |
| SignInEvent | 000000 | message | message.log_message | message | |
| TagApplied | 000000 | message | message.log_message | message | |
| TaskCreated | 000000 | message | message.log_message | message | |
| TaskUpdated | 000000 | message | message.log_message | message | |
| TeamsMeetingRecordingUploaded | 000000 | message | message.log_message | message | |
| TIMailData | 000000 | message | message.log_message | message | |
| Update application | 000000 | message | message.log_message | message | |
| Update application – Certificates and secrets management | 000000 | message | message.log_message | message | |
| Update device | 000000 | message | message.log_message | message | |
| Update policy | 000000 | message | message.log_message | message | |
| Validate | 000000 | message | message.log_message | message | |
| Add member to role | 111001 | iam | iam.object modify | privileges assigned | |
| Remove member from role | 111002 | iam | iam.object modify | privileges removed |
