Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Events involving accounts and objects in Office 365 and other cloud apps and services
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDisplayName | string | Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
| AccountId | string | An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers |
| AccountObjectId | string | Unique identifier for the account in Azure AD |
| AccountType | string | Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application |
| ActionType | string | Type of activity that triggered the event |
| ActivityObjects | dynamic | List of objects, such as files or folders, that were involved in the recorded activity |
| ActivityType | string | Type of activity that triggered the event |
| AdditionalFields | dynamic | Additional information about the entity or event |
| AppInstanceId | int | Unique identifier for the instance of an application |
| Application | string | Application that performed the recorded action |
| ApplicationId | int | Unique identifier for the application |
| AuditSource | string | Cloud enviorment source of the cloud audit event. Cloud be Azure, AWS, GCP, AliCloud or other |
| City | string | City where the client IP address is geolocated |
| CountryCode | string | Two-letter code indicating the country where the client IP address is geolocated |
| DeviceType | string | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
| IPAddress | string | IP address assigned to the device during communication |
| IPCategory | string | Additional information about the IP address |
| IPTags | dynamic | Customer-defined information applied to specific IP addresses and IP address ranges |
| IsAdminOperation | bool | Indicates whether the activity was performed by an administrator |
| IsAnonymousProxy | bool | Indicates whether the IP address belongs to a known anonymous proxy |
| IsExternalUser | bool | Indicates whether a user inside the network doesn't belong to the organization's domain |
| IsImpersonated | bool | Indicates whether the activity was performed by one user for another (impersonated) user |
| ISP | string | Internet service provider associated with the IP address |
| LastSeenForUser | dynamic | Number of days since each statistical feature for the user was last seen |
| OAuthAppId | string | A unique identifier that's assigned to an application when it's registered to Entra with OAuth 2.0. |
| ObjectId | string | Unique identifier of the object that the recorded action was applied to |
| ObjectName | string | Name of the object that the recorded action was applied to |
| ObjectType | string | The type of object, such as a file or a folder, that the recorded action was applied to |
| OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| RawEventData | dynamic | Raw event information from the source application or service in JSON format |
| ReportId | string | Unique identifier for the event |
| SessionData | dynamic | Session identifiers (if provided by the audit source) |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
| UncommonForUser | dynamic | List of features observed to be statistically uncommon for the user that performed the activity |
| UserAgent | string | User agent information from the web browser or other client application |
| UserAgentTags | dynamic | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Unusual Volume of file deletion by users |
In solution Threat Intelligence:
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Domain entity to Cloud App Events | |
| TI map Email entity to Cloud App Events | |
| TI map IP entity to Cloud App Events | |
| TI map URL entity to Cloud App Events |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| AIR investigation actions insight | ActionType == "AirInvestigationData" |
| Admin Submission Trend (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submission Trend (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Detection Type | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Phish FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Spam FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by Grading verdict (FN-FP) | ActionType contains "AdminSubmissionTriage" |
| Admin Submissions by Submission State (FN) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission State (FP) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission Type (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Submission Type (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| BEC - File sharing tactics - Dropbox | ActionType in "Added users and/or groups to shared file/folder,Invited user to Dropboxadded them to shared file/folder"Application == "Dropbox"ObjectType == "File" |
| BEC - File sharing tactics - OneDrive or SharePoint | ActionType in "AddedToSecureLink,SecureLinkCreated"Application in "Microsoft OneDrive for Business,Microsoft SharePoint Online" |
| Calculate overall MDO efficacy | |
| File Malware Detection Trend | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Anti Virus) | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Safe Attachments) | ActionType == "FileMalwareDetected"UserAgent == "MS Scanner ATP" |
| MDO Threat Protection Detections trend over time | |
| Malware detections by Workload Locations | ActionType == "FileMalwareDetected" |
| Malware detections by Workload Type | ActionType == "FileMalwareDetected" |
| Teams Admin submission of Malware and Phish daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin submission of No Threats daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin-User Submissions Grading Verdicts | ActionType in "AdminSubmissionTriage,UserSubmissionTriage" |
| Top 10 Detection Overrides - Admin Email Submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing admin submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing admin submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing user submissions | ActionType == "UserSubmission" |
| Total Submissions by Submission Type | ActionType in "AdminSubmission,UserSubmission" |
| Total Submissions by Submission Type | ActionType in "AdminSubmission,UserSubmission" |
| Total number of detections by MDO | |
| Unusual Volume of file deletion by users | |
| User Email Submission Trend (FN) | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Admins | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Users | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org P2 Senders | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org Subjects | ActionType == "UserSubmission" |
| User Email Submissions (FN) by Submission Type | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN-FP) by Grading verdict | ActionType contains "UserSubmissionTriage" |
| User Email Submissions accuracy vs Admin review verdict | ActionType in "SubmissionNotification,UserSubmission" |
| User Email Submissions by Admin review status (Mark and Notify) | ActionType in "SubmissionNotification,UserSubmission" |
| User email submissions (FN) from Junk Folder | ActionType == "UserSubmission" |
GitHub Only:
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR: ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,ClickBlocked,FileMalwareDetected,Malware ZAP,Phish ZAP,Spam ZAP,SubmissionNotification,UserSubmission"ActionType == "Automated Remediation"ActionType contains "AdminSubmission"ActionType contains "AdminSubmissionTriage"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "UserSubmissionTriage"ActionType contains "ZAP"ActionType has "Malware ZAP"ActionType has "Phish ZAP"ActionType has "Spam ZAP"ActionType has "ZAP"ActionType has_any "ClickAllowed"ActionType has_any "ClickBlocked"ActionType has_any "UrlErrorPage"ActionType has_any "UrlScanInProgress"UserAgent == "MS Scanner ATP"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
References by type: 0 connectors, 60 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "AdminSubmissionSubmitted" |
- | 15 | - | - | 15 |
ActionType == "UserSubmission" |
- | 12 | - | - | 12 |
ActionType == "FileMalwareDetected" |
- | 4 | - | - | 4 |
ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
- | 4 | - | - | 4 |
ActionType == "QuarantineReleaseMessage" |
- | 2 | - | - | 2 |
ActionType contains "AdminSubmission" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmission,UserSubmission" |
- | 2 | - | - | 2 |
ActionType in "SubmissionNotification,UserSubmission" |
- | 2 | - | - | 2 |
ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
- | 2 | - | - | 2 |
ActionType == "Set-AtpPolicyForO365"Application == "Microsoft Exchange Online" |
- | 1 | - | - | 1 |
ActionType == "AdminMailAccess" |
- | 1 | - | - | 1 |
ActionType contains "TenantAllowBlockListItems" |
- | 1 | - | - | 1 |
ActionType in "AdminSubmission,UserSubmission"ActionType contains "ZAP" |
- | 1 | - | - | 1 |
ActionType == "New-TenantAllowBlockListItems" |
- | 1 | - | - | 1 |
ActionType in "Added users and/or groups to shared file/folder,Invited user to Dropboxadded them to shared file/folder"Application == "Dropbox"ObjectType == "File" |
- | 1 | - | - | 1 |
ActionType in "AddedToSecureLink,SecureLinkCreated"Application in "Microsoft OneDrive for Business,Microsoft SharePoint Online" |
- | 1 | - | - | 1 |
ActionType contains "Set-InboxRule" |
- | 1 | - | - | 1 |
ActionType == "FileMalwareDetected"UserAgent == "MS Scanner ATP" |
- | 1 | - | - | 1 |
ActionType in "AdminSubmissionTriage,UserSubmissionTriage" |
- | 1 | - | - | 1 |
ActionType == "MailItemsAccessed" |
- | 1 | - | - | 1 |
ActionType == "AirInvestigationData" |
- | 1 | - | - | 1 |
ActionType contains "AdminSubmissionTriage" |
- | 1 | - | - | 1 |
ActionType contains "UserSubmissionTriage" |
- | 1 | - | - | 1 |
ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,ClickBlocked,FileMalwareDetected,Malware ZAP,Phish ZAP,Spam ZAP,SubmissionNotification,UserSubmission"ActionType == "Automated Remediation"ActionType contains "AdminSubmission"ActionType contains "AdminSubmissionTriage"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "UserSubmissionTriage"ActionType contains "ZAP"ActionType has "Malware ZAP"ActionType has "Phish ZAP"ActionType has "Spam ZAP"ActionType has "ZAP"ActionType has_any "ClickAllowed"ActionType has_any "ClickBlocked"ActionType has_any "UrlErrorPage"ActionType has_any "UrlScanInProgress"UserAgent == "MS Scanner ATP" |
- | 1 | - | - | 1 |
| Total | 0 | 60 | 0 | 0 | 60 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
UserSubmission |
- | 20 | - | - | 20 |
AdminSubmissionSubmitted |
- | 20 | - | - | 20 |
FileMalwareDetected |
- | 6 | - | - | 6 |
contains Submission |
- | 5 | - | - | 5 |
AdminSubmission |
- | 3 | - | - | 3 |
contains AdminSubmission |
- | 3 | - | - | 3 |
SubmissionNotification |
- | 3 | - | - | 3 |
AttackSimUserSubmission |
- | 3 | - | - | 3 |
contains UserSubmission |
- | 3 | - | - | 3 |
contains ZAP |
- | 2 | - | - | 2 |
QuarantineReleaseMessage |
- | 2 | - | - | 2 |
contains AdminSubmissionTriage |
- | 2 | - | - | 2 |
contains UserSubmissionTriage |
- | 2 | - | - | 2 |
Set-AtpPolicyForO365 |
- | 1 | - | - | 1 |
AdminMailAccess |
- | 1 | - | - | 1 |
contains TenantAllowBlockListItems |
- | 1 | - | - | 1 |
New-TenantAllowBlockListItems |
- | 1 | - | - | 1 |
Added users and/or groups to shared file/folder |
- | 1 | - | - | 1 |
Invited user to Dropbox |
- | 1 | - | - | 1 |
AddedToSecureLink |
- | 1 | - | - | 1 |
SecureLinkCreated |
- | 1 | - | - | 1 |
contains Set-InboxRule |
- | 1 | - | - | 1 |
AdminSubmissionTriage |
- | 1 | - | - | 1 |
UserSubmissionTriage |
- | 1 | - | - | 1 |
MailItemsAccessed |
- | 1 | - | - | 1 |
AirInvestigationData |
- | 1 | - | - | 1 |
ClickBlocked |
- | 1 | - | - | 1 |
Malware ZAP |
- | 1 | - | - | 1 |
Phish ZAP |
- | 1 | - | - | 1 |
Spam ZAP |
- | 1 | - | - | 1 |
Automated Remediation |
- | 1 | - | - | 1 |
has Malware ZAP |
- | 1 | - | - | 1 |
has Phish ZAP |
- | 1 | - | - | 1 |
has Spam ZAP |
- | 1 | - | - | 1 |
has ZAP |
- | 1 | - | - | 1 |
has_any ClickAllowed |
- | 1 | - | - | 1 |
has_any ClickBlocked |
- | 1 | - | - | 1 |
has_any UrlErrorPage |
- | 1 | - | - | 1 |
has_any UrlScanInProgress |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Microsoft Exchange Online |
- | 1 | - | - | 1 |
Dropbox |
- | 1 | - | - | 1 |
Microsoft OneDrive for Business |
- | 1 | - | - | 1 |
Microsoft SharePoint Online |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
File |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
MS Scanner ATP |
- | 2 | - | - | 2 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊