Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for OfficeActivity table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Office 365 |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AADGroupId | string | Azure Active Directory group id |
| AADTarget | string | The user that the action (identified by the Operation property) was performed on |
| Activity | string | The activity that the user performed. |
| Actor | string | The user or service principal that performed the action |
| ActorContextId | string | The GUID of the organization that the actor belongs to |
| ActorIpAddress | string | The actor's IP address in IPV4 or IPV6 address format |
| AddOnGuid | string | The unique identifier of the add-on generated this event |
| AddonName | string | The name of the add-on that generated this event |
| AddOnType | string | The type of add-on that generated this event |
| AffectedItems | string | Information about each item in the group |
| AppAccessContext | dynamic | The application context for the user or service principal that performed the action. |
| AppDistributionMode | string | Application distribution mode |
| AppId | string | Application ID |
| Application | string | The application name |
| ApplicationId | string | SharePoint application ID |
| AppPoolName | string | The App pool name |
| ArtifactsShared | dynamic | The artifacts shared in the meeting. |
| Attendees | dynamic | The list of attendees for the meeting. |
| AzureActiveDirectory_EventType | string | The type of Azure AD event |
| AzureADAppId | string | Teams Application Azure AD ID |
| ChannelGuid | string | A unique identifier for the channel being audited |
| ChannelName | string | The name of the channel being audited |
| ChannelType | string | The type of channel being audited (Standard/Private) |
| ChatName | string | The name of the chat |
| ChatThreadId | string | The Id of the chat thread |
| Client | string | Details about the client device, device OS, and device browser that was used for the of the account login event |
| Client_IPAddress | string | The IP address of the device that was used when the operation was logged |
| ClientAppId | string | Client application ID |
| ClientInfoString | string | Information about the email client that was used to perform the operation |
| ClientIP | string | The IP address of the device that was used when the activity was logged |
| ClientMachineName | string | The machine name that hosts the Outlook client |
| ClientProcessName | string | The email client that was used to access the mailbox |
| ClientVersion | string | The version of the email client |
| CommunicationType | string | The type of communications that was conducted |
| CrossMailboxOperations | bool | Indicates if the operation involved more than one mailbox |
| CustomEvent | string | Optional string for custom events |
| DataCenterSecurityEventType | int | The type of dmdlet event in lock box |
| DestFolder | string | The destination folder |
| DestinationFileExtension | string | The file extension of a file that is copied or moved |
| DestinationFileName | string | The name of the file that is copied or moved |
| DestinationRelativeUrl | string | The URL of the destination folder where a file is copied or moved |
| DestMailboxId | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerMasterAccountSid | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerSid | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerUPN | string | Set only if the CrossMailboxOperations parameter is True |
| DeviceInformation | string | The user device information. |
| EffectiveOrganization | string | The name of the tenant that the elevation/cmdlet was targeted at |
| ElevationApprovedTime | datetime | The timestamp for when the elevation was approved |
| ElevationApprover | string | The name of a Microsoft manager |
| ElevationDuration | int | The duration for which the elevation was active (in Hours) |
| ElevationRequestId | string | A unique identifier for the elevation request |
| ElevationRole | string | The role the elevation was requested for |
| ElevationTime | datetime | The start time of the elevation |
| Event_Data | string | Optional payload for custom events |
| EventSource | string | Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel |
| ExtendedProperties | string | The extended properties of the Azure AD event |
| ExternalAccess | string | Specifies whether the cmdlet was run by a user in your organization |
| ExtraProperties | dynamic | A list of extra properties |
| Folder | string | The folder where a group of items is located |
| Folders | string | Information about the source folders involved in an operation |
| GenericInfo | string | Used for comments and other generic information |
| InternalLogonType | int | Reserved for internal use |
| InterSystemsId | string | The GUID that track the actions across components within the Office 365 service |
| IntraSystemId | string | The GUID that's generated by Azure Active Directory to track the action |
| IsJoinedFromLobby | bool | Indicates whether the user join from the lobby. |
| IsManagedDevice | bool | Indicates if operation was created by a device managed by the organization |
| Item | string | Represents the item upon which the operation was performed |
| ItemName | string | The string in the Subject field of the email message |
| ItemType | string | The type of object that was accessed or modified. See the ItemType table for details on the types of objects |
| JoinTime | datetime | The time the user joined the meeting. |
| LeaveTime | datetime | The time the user left the meeting. |
| ListItemUniqueId | string | The Guid of uniquely an identifiable item of list. This information is present only if it is applicable. |
| LoginStatus | int | This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms |
| Logon_Type | string | Indicates the type of user who accessed the mailbox and performed the operation that was logged |
| LogonUserDisplayName | string | The user-friendly name of the user who performed the operation |
| LogonUserSid | string | The SID of the user who performed the operation |
| MachineDomainInfo | string | Information about device sync operations |
| MachineId | string | Information about device sync operations |
| MailboxGuid | string | The Exchange GUID of the mailbox that was accessed |
| MailboxOwnerMasterAccountSid | string | Mailbox owner account's master account SID |
| MailboxOwnerSid | string | The SID of the mailbox owner |
| MailboxOwnerUPN | string | The email address of the person who owns the mailbox that was accessed |
| MeetingDetailId | string | The meeting detail ID. |
| Members | dynamic | A list of users within a Team |
| MessageId | string | An identifier for a chat or channel message |
| ModifiedObjectResolvedName | string | This is the user friendly name of the object that was modified by the cmdlet |
| ModifiedProperties | string | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group |
| NewValue | string | Only present for settings events. New value of the setting |
| OfficeId | string | Unique identifier of an audit record |
| OfficeObjectId | string | For SharePoint and OneDrive for Business activity |
| OfficeTenantId | string | The office tenant id |
| OfficeWorkload | string | The Office 365 service where the activity occurred |
| OldValue | string | Only present for settings events. Old value of the setting |
| Operation | string | The name of the operation that the user is performing |
| OperationProperties | dynamic | Additional operation properties |
| OperationScope | string | The scope the operation was performed on |
| OrganizationId | string | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization |
| OrganizationName | string | The name of the tenant |
| OriginatingServer | string | The name of the server from which the cmdlet was executed |
| Parameters | string | The name and value for all parameters that were used with the cmdlet that is identified in the Operations property |
| RecordType | string | The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records |
| ResultReasonType | string | Reason for the result reported in ResultType |
| ResultStatus | string | Indicates whether the action (specified in the Operation property) was successful or not |
| SendAsUserMailboxGuid | string | The Exchange GUID of the mailbox that was accessed to send email as |
| SendAsUserSmtp | string | SMTP address of the user who is being impersonated |
| SendonBehalfOfUserMailboxGuid | string | The Exchange GUID of the mailbox that was accessed to send mail on behalf of |
| SendOnBehalfOfUserSmtp | string | SMTP address of the user on whose behalf the email is sent |
| SensitivityLabelId | string | The current sensitivity label ID of the file. |
| SharingType | string | The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter |
| Site_ | string | The GUID of the site where the file or folder accessed by the user is located |
| Site_Url | string | The URL of the site where the file or folder accessed by the user is located |
| Source_Name | string | The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel |
| SourceFileExtension | string | The file extension of the file that was accessed by the user |
| SourceFileName | string | The name of the file or folder accessed by the user |
| SourceRecordId | string | Unique identifier of an audit record |
| SourceRelativeUrl | string | The URL of the folder that contains the file accessed by the user |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SRPolicyId | string | Policy ID |
| SRPolicyName | string | Policy name |
| SRRuleMatchDetails | dynamic | Rule details |
| Start_Time | datetime | The date and time at which the cmdlet was executed |
| SupportTicketId | string | The customer support ticket ID for the action in 'act-on-behalf-of' situations |
| TabType | string | The type of tab that generated this event |
| TargetContextId | string | The GUID of the organization that the targeted user belongs to |
| TargetUserId | string | Target user id |
| TargetUserOrGroupName | string | Stores the UPN or name of the target user or group that a resource was shared with |
| TargetUserOrGroupType | string | Identifies whether the target user or group is a Member, Guest, Group, or Partner |
| TeamGuid | string | A unique identifier for the team being audited |
| TeamName | string | The name of the team being audited |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time in Coordinated Universal Time (UTC) when the user performed the activity |
| Type | string | The name of the table |
| UniqueSharingId | string | The unique sharing ID associated with the sharing operation. |
| UserAgent | string | The user agent |
| UserDomain | string | The domain of the user |
| UserId | string | The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged |
| UserKey | string | An alternative ID for the user identified in the UserId property |
| UserSharedWith | string | The user that a resource was shared with |
| UserType | string | The type of user that performed the operation. See the UserType table for details on the types of users |
This table is used by the following solutions:
This table is ingested by the following connectors:
Selection Criteria: OfficeWorkload in "Exchange,MicrosoftTeams,OneDrive,SharePoint"
| Connector |
|---|
| Microsoft 365 (formerly, Office 365) |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | |
| User agent search for log4j exploitation attempt |
In solution Business Email Compromise - Financial Fraud: Operation == "New-InboxRule"Parameters has "DeleteMessage"Parameters has "Deleted Items"Parameters has "Junk Email"
| Analytic Rule |
|---|
| Malicious BEC Inbox Rule |
In solution GreyNoiseThreatIntelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| GreyNoise TI map IP entity to OfficeActivity |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in OfficeActivity |
In solution Microsoft 365:
| Analytic Rule | Selection Criteria |
|---|---|
| Accessed files shared by temporary external user | OfficeWorkload == "MicrosoftTeams"Operation in "FileAccessed,FileUploaded"Operation in "MemberAdded,MemberRemoved"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
| Exchange AuditLog Disabled | OfficeWorkload == "Exchange"Operation == "Set-AdminAuditLogConfig"UserType in "Admin,DcAdmin" |
| Exchange workflow MailItemsAccessed operation anomaly | OfficeWorkload == "Exchange"Operation == "MailItemsAccessed"ResultStatus == "Succeeded" |
| External user added and removed in short timeframe | OfficeWorkload == "MicrosoftTeams" |
| Mail redirect via ExO transport rule | OfficeWorkload == "Exchange" |
| Malicious Inbox Rule | OfficeWorkload == "Exchange"Operation == "New-InboxRule"Parameters has "DeleteMessage"Parameters has "Deleted Items"Parameters has "Junk Email"ResultStatus in "Succeeded,True" |
| Multiple Teams deleted by a single user | OfficeWorkload == "MicrosoftTeams"Operation == "TeamDeleted" |
| Multiple users email forwarded to same destination | OfficeWorkload == "Exchange"Operation in "New-InboxRule,Set-InboxRule,Set-Mailbox"Parameters has_any "ForwardTo" |
| New executable via Office FileUploaded Operation | Operation contains "download"Operation contains "upload" |
| Office Policy Tampering | ClientIP has "."ClientIP has "["RecordType == "ExchangeAdmin"UserType in "Admin,DcAdmin" |
| Office365 Sharepoint File transfer Folders above threshold | EventSource == "SharePoint"OfficeWorkload has_any "OneDrive,SharePoint"Operation has_any "FileDownloaded" |
| Office365 Sharepoint File transfer above threshold | EventSource == "SharePoint"OfficeWorkload has_any "OneDrive,SharePoint"Operation has_any "FileDownloaded" |
| Rare and potentially high-risk Office operations | Operation in "Add-MailboxFolderPermission,Add-MailboxPermission,New-InboxRule,New-ManagementRoleAssignment,Set-InboxRule,Set-Mailbox,Set-TransportRule"UserId has_any "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" |
| SharePointFileOperation via devices with previously unseen user agents | |
| SharePointFileOperation via previously unseen IPs |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Executable uploaded to SharePoint document management site | OfficeWorkload == "SharePoint"Operation == "FileUploaded" |
| Dataverse - Malware found in SharePoint document management site | OfficeWorkload == "SharePoint" |
| Dataverse - Mass download from SharePoint document management | OfficeWorkload == "SharePoint"Operation == "FileDownloaded" |
| Dataverse - New user agent type that was not used with Office 365 |
In solution Network Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| New UserAgent observed in last 24 hours |
In solution SecurityThreatEssentialSolution: OfficeWorkload == "Exchange"
| Analytic Rule |
|---|
| Threat Essentials - Mail redirect via ExO transport rule |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to OfficeActivity | |
| TI map IP entity to OfficeActivity |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to OfficeActivity | |
| TI map IP entity to OfficeActivity |
In solution ThreatConnect:
| Analytic Rule | Selection Criteria |
|---|---|
| ThreatConnect TI Map URL Entity to OfficeActivity Data | |
| ThreatConnect TI map Email entity to OfficeActivity |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Email Forwarding Configuration with SAP download | |
| Office Mail Rule Creation with suspicious archive mail move activity | OfficeWorkload == "Exchange" |
In solution Microsoft 365:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous access to other users' mailboxes | Operation == "MailItemsAccessed"ResultStatus == "Succeeded" |
| Bots added to multiple teams | OfficeWorkload == "MicrosoftTeams"Operation == "BotAddedToTeam" |
| Exes with double file extension and access summary | OfficeObjectId has ".exe."Operation in "FileAccessed,FileDownloaded"RecordType == "SharePointFileOperation" |
| External user added and removed in a short timeframe | OfficeWorkload == "MicrosoftTeams"Operation in "MemberAdded,MemberRemoved" |
| External user from a new organisation added to Teams | OfficeWorkload == "MicrosoftTeams"Operation == "MemberAdded" |
| Files uploaded to teams and access summary | Operation in "FileAccessed,FileDownloaded,FileUploaded"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"UserId != "app@sharepoint" |
| Mail redirect via ExO transport rule | OfficeWorkload == "Exchange" |
| Multiple Teams deleted by a single user | OfficeWorkload == "MicrosoftTeams"Operation == "TeamDeleted" |
| Multiple users email forwarded to same destination | OfficeWorkload == "Exchange"Operation in "New-InboxRule,Set-InboxRule,Set-Mailbox"Parameters has_any "ForwardTo" |
| New Admin account activity seen which was not seen historically | RecordType == "ExchangeAdmin"UserType in "Admin,DcAdmin" |
| New Windows Reserved Filenames staged on Office file services | UserAgent !has "Mac OS" |
| Non-owner mailbox login activity | Logon_Type != "Owner"OfficeWorkload == "Exchange"Operation == "MailboxLogin" |
| Office Mail Forwarding - Hunting Version | ClientIP has "."ClientIP has "["OfficeWorkload == "Exchange"Parameters contains "ForwardTo"Parameters contains "ForwardingSmtpAddress"Parameters contains "RedirectTo" |
| PowerShell or non-browser mailbox login activity | ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"OfficeWorkload == "Exchange"Operation == "MailboxLogin" |
| Previously unseen bot or application added to Teams | OfficeWorkload == "MicrosoftTeams" |
| SharePointFileOperation via clientIP with previously unseen user agents | RecordType == "SharePointFileOperation" |
| SharePointFileOperation via devices with previously unseen user agents | Operation in "FileDownloaded,FileUploaded"RecordType == "SharePointFileOperation" |
| SharePointFileOperation via previously unseen IPs | Operation in "FileDownloaded,FileUploaded"RecordType == "SharePointFileOperation" |
| User added to Teams and immediately uploads file | OfficeWorkload == "MicrosoftTeams"Operation in "FileUploaded,MemberAdded"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
| User made Owner of multiple teams | OfficeWorkload == "MicrosoftTeams"Operation == "MemberRoleChanged" |
| Windows Reserved Filenames staged on Office file services | UserAgent !has "Mac OS" |
In solution Network Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Exploit and Pentest Framework User Agent |
In solution Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to OfficeActivity Event |
In solution Threat Intelligence (NEW):
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to OfficeActivity Event |
In solution Apache Log4j Vulnerability Detection:
| Workbook | Selection Criteria |
|---|---|
| Log4jPostCompromiseHunting |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: RecordType == "MicrosoftTeams"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DPDP Compliance: ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"ExternalAccess == "True"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"Parameters contains "ForwardTo"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"
| Workbook |
|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security: ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"ExternalAccess == "True"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"Parameters contains "ForwardTo"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"
| Workbook |
|---|
| GDPRComplianceAndDataSecurity |
In solution Global Secure Access: OfficeWorkload in "Exchange,OneDrive,SPO/OneDrive,SharePoint,Teams"
| Workbook |
|---|
| GSAM365EnrichedEvents |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131: OfficeWorkload == "Exchange"Operation !contains "access"Operation contains "policy"RecordType == "ExchangeAdmin"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft 365:
| Workbook | Selection Criteria |
|---|---|
| ExchangeOnline | ExternalAccess == "True"OfficeWorkload == "Exchange"Operation in "Add-MailboxPermission,MailboxLogin,Remove-MailboxPermission,Set-Mailbox,UpdateFolderPermissions"Operation contains "HardDelete"UserType == "Admin" |
| Office365 | ExternalAccess == "True"OfficeWorkload in "Exchange,OneDrive,SharePoint"Operation in "FileDownloaded,FileUploaded,MailboxLogin"Operation contains "File"Operation contains "Folder"Operation contains "add"Operation contains "create"Operation contains "delete"Operation contains "group"Operation contains "update"Operation contains "user"UserType == "Admin" |
| SharePointAndOneDrive | OfficeWorkload in "OneDrive,SharePoint" |
In solution Microsoft Exchange Security - Exchange Online: RecordType == "ExchangeAdmin"
| Workbook |
|---|
| Microsoft Exchange Admin Activity - Online |
| Microsoft Exchange Search AdminAuditLog - Online |
In solution MicrosoftPurviewInsiderRiskManagement: ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"Parameters contains "ForwardTo"Parameters contains "ForwardingSmtpAddress"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053: Operation contains "file"
| Workbook |
|---|
| NISTSP80053 |
In solution SOC Handbook: Operation in "New-InboxRule,Set-Mailbox"
| Workbook |
|---|
| InvestigationInsights |
In solution SOX IT Compliance: Operation in "AddFolderPermissions,AddedToGroup,GroupAdded,MemberAdded,MemberRemoved,MemberRoleChanged,ModifyFolderPermissions,PermissionLevelAdded,Remove-ConditionalAccessPolicy,Set-ConditionalAccessPolicy,SharingSet"
| Workbook |
|---|
| SOXITCompliance |
In solution Teams: CommunicationType == "Team"OfficeWorkload == "MicrosoftTeams"Operation in "AppInstalled,BotAddedToTeam,FileUploaded,MemberAdded,MemberRemoved,MemberRoleChanged,TeamDeleted,TeamsAdminAction"Operation contains "Added"Operation contains "Created"Operation contains "Deleted"Operation contains "Removed"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"
| Workbook |
|---|
| MicrosoftTeams |
In solution ZeroTrust(TIC3.0): RecordType == "MicrosoftTeams"
| Workbook |
|---|
| ZeroTrustTIC3 |
RecordType == "ExchangeAdmin"| Parser | Schema | Product |
|---|---|---|
| ASimAuditEventMicrosoftExchangeAdmin365 | AuditEvent | Microsoft SharePoint |
RecordType == "ExchangeAdmin"| Parser | Solution |
|---|---|
| MESOfficeActivityLogs | Microsoft Exchange Security - Exchange Online |
References by type: 1 connectors, 56 content items, 1 ASIM parsers, 1 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
OfficeWorkload == "Exchange" |
- | 4 | - | - | 4 |
RecordType == "ExchangeAdmin" |
- | 2 | 1 | 1 | 4 |
OfficeWorkload == "MicrosoftTeams" |
- | 2 | - | - | 2 |
OfficeWorkload == "MicrosoftTeams"Operation == "TeamDeleted" |
- | 2 | - | - | 2 |
OfficeWorkload == "Exchange"Operation in "New-InboxRule,Set-InboxRule,Set-Mailbox"Parameters has_any "ForwardTo" |
- | 2 | - | - | 2 |
EventSource == "SharePoint"OfficeWorkload has_any "OneDrive,SharePoint"Operation has_any "FileDownloaded" |
- | 2 | - | - | 2 |
Operation in "FileDownloaded,FileUploaded"RecordType == "SharePointFileOperation" |
- | 2 | - | - | 2 |
UserAgent !has "Mac OS" |
- | 2 | - | - | 2 |
RecordType == "MicrosoftTeams" |
- | 2 | - | - | 2 |
ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"ExternalAccess == "True"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"Parameters contains "ForwardTo"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
- | 2 | - | - | 2 |
OfficeWorkload in "Exchange,MicrosoftTeams,OneDrive,SharePoint" |
1 | - | - | - | 1 |
Operation == "New-InboxRule"Parameters has "DeleteMessage"Parameters has "Deleted Items"Parameters has "Junk Email" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"Operation == "Set-AdminAuditLogConfig"UserType in "Admin,DcAdmin" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation in "FileAccessed,FileUploaded"Operation in "MemberAdded,MemberRemoved"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"Operation == "MailItemsAccessed"ResultStatus == "Succeeded" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"Operation == "New-InboxRule"Parameters has "DeleteMessage"Parameters has "Deleted Items"Parameters has "Junk Email"ResultStatus in "Succeeded,True" |
- | 1 | - | - | 1 |
ClientIP has "."ClientIP has "["RecordType == "ExchangeAdmin"UserType in "Admin,DcAdmin" |
- | 1 | - | - | 1 |
Operation contains "download"Operation contains "upload" |
- | 1 | - | - | 1 |
Operation in "Add-MailboxFolderPermission,Add-MailboxPermission,New-InboxRule,New-ManagementRoleAssignment,Set-InboxRule,Set-Mailbox,Set-TransportRule"UserId has_any "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" |
- | 1 | - | - | 1 |
OfficeWorkload == "SharePoint"Operation == "FileUploaded" |
- | 1 | - | - | 1 |
OfficeWorkload == "SharePoint" |
- | 1 | - | - | 1 |
OfficeWorkload == "SharePoint"Operation == "FileDownloaded" |
- | 1 | - | - | 1 |
Operation == "MailItemsAccessed"ResultStatus == "Succeeded" |
- | 1 | - | - | 1 |
OfficeObjectId has ".exe."Operation in "FileAccessed,FileDownloaded"RecordType == "SharePointFileOperation" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation in "MemberAdded,MemberRemoved" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation == "MemberAdded" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation == "BotAddedToTeam" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation == "MemberRoleChanged" |
- | 1 | - | - | 1 |
RecordType == "ExchangeAdmin"UserType in "Admin,DcAdmin" |
- | 1 | - | - | 1 |
Logon_Type != "Owner"OfficeWorkload == "Exchange"Operation == "MailboxLogin" |
- | 1 | - | - | 1 |
ClientIP has "."ClientIP has "["OfficeWorkload == "Exchange"Parameters contains "ForwardTo"Parameters contains "ForwardingSmtpAddress"Parameters contains "RedirectTo" |
- | 1 | - | - | 1 |
ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"OfficeWorkload == "Exchange"Operation == "MailboxLogin" |
- | 1 | - | - | 1 |
RecordType == "SharePointFileOperation" |
- | 1 | - | - | 1 |
Operation in "FileAccessed,FileDownloaded,FileUploaded"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files"UserId != "app@sharepoint" |
- | 1 | - | - | 1 |
OfficeWorkload == "MicrosoftTeams"Operation in "FileUploaded,MemberAdded"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
- | 1 | - | - | 1 |
OfficeWorkload in "Exchange,OneDrive,SPO/OneDrive,SharePoint,Teams" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"Operation !contains "access"Operation contains "policy"RecordType == "ExchangeAdmin" |
- | 1 | - | - | 1 |
ExternalAccess == "True"OfficeWorkload == "Exchange"Operation in "Add-MailboxPermission,MailboxLogin,Remove-MailboxPermission,Set-Mailbox,UpdateFolderPermissions"Operation contains "HardDelete"UserType == "Admin" |
- | 1 | - | - | 1 |
ExternalAccess == "True"OfficeWorkload in "Exchange,OneDrive,SharePoint"Operation in "FileDownloaded,FileUploaded,MailboxLogin"Operation contains "File"Operation contains "Folder"Operation contains "add"Operation contains "create"Operation contains "delete"Operation contains "group"Operation contains "update"Operation contains "user"UserType == "Admin" |
- | 1 | - | - | 1 |
OfficeWorkload in "OneDrive,SharePoint" |
- | 1 | - | - | 1 |
ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"Parameters contains "ForwardTo"Parameters contains "ForwardingSmtpAddress"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
- | 1 | - | - | 1 |
Operation contains "file" |
- | 1 | - | - | 1 |
Operation in "New-InboxRule,Set-Mailbox" |
- | 1 | - | - | 1 |
Operation in "AddFolderPermissions,AddedToGroup,GroupAdded,MemberAdded,MemberRemoved,MemberRoleChanged,ModifyFolderPermissions,PermissionLevelAdded,Remove-ConditionalAccessPolicy,Set-ConditionalAccessPolicy,SharingSet" |
- | 1 | - | - | 1 |
CommunicationType == "Team"OfficeWorkload == "MicrosoftTeams"Operation in "AppInstalled,BotAddedToTeam,FileUploaded,MemberAdded,MemberRemoved,MemberRoleChanged,TeamDeleted,TeamsAdminAction"Operation contains "Added"Operation contains "Created"Operation contains "Deleted"Operation contains "Removed"RecordType == "SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
- | 1 | - | - | 1 |
| Total | 1 | 56 | 1 | 1 | 59 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has . |
- | 2 | - | - | 2 |
has [ |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client |
- | 4 | - | - | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Team |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SharePoint |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
True |
- | 4 | - | - | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Owner |
- | 4 | - | - | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has .exe. |
- | 4 | - | - | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Exchange |
1 | 19 | - | - | 20 |
MicrosoftTeams |
1 | 14 | - | - | 15 |
SharePoint |
1 | 6 | - | - | 7 |
has_any OneDrive |
- | 7 | - | - | 7 |
OneDrive |
1 | 3 | - | - | 4 |
has_any SharePoint |
- | 4 | - | - | 4 |
AzureActiveDirectory |
- | 3 | - | - | 3 |
has_any Exchange |
- | 3 | - | - | 3 |
SPO/OneDrive |
- | 1 | - | - | 1 |
Teams |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
FileUploaded |
- | 8 | - | - | 8 |
New-InboxRule |
- | 6 | - | - | 6 |
MemberAdded |
- | 6 | - | - | 6 |
FileDownloaded |
- | 6 | - | - | 6 |
Set-Mailbox |
- | 5 | - | - | 5 |
MemberRemoved |
- | 4 | - | - | 4 |
MailboxLogin |
- | 4 | - | - | 4 |
FileAccessed |
- | 3 | - | - | 3 |
TeamDeleted |
- | 3 | - | - | 3 |
Set-InboxRule |
- | 3 | - | - | 3 |
MemberRoleChanged |
- | 3 | - | - | 3 |
MailItemsAccessed |
- | 2 | - | - | 2 |
Add-MailboxPermission |
- | 2 | - | - | 2 |
has_any FileDownloaded |
- | 2 | - | - | 2 |
BotAddedToTeam |
- | 2 | - | - | 2 |
Set-AdminAuditLogConfig |
- | 1 | - | - | 1 |
contains download |
- | 1 | - | - | 1 |
contains upload |
- | 1 | - | - | 1 |
Add-MailboxFolderPermission |
- | 1 | - | - | 1 |
New-ManagementRoleAssignment |
- | 1 | - | - | 1 |
Set-TransportRule |
- | 1 | - | - | 1 |
!contains access |
- | 1 | - | - | 1 |
contains policy |
- | 1 | - | - | 1 |
Remove-MailboxPermission |
- | 1 | - | - | 1 |
UpdateFolderPermissions |
- | 1 | - | - | 1 |
contains HardDelete |
- | 1 | - | - | 1 |
contains File |
- | 1 | - | - | 1 |
contains Folder |
- | 1 | - | - | 1 |
contains add |
- | 1 | - | - | 1 |
contains create |
- | 1 | - | - | 1 |
contains delete |
- | 1 | - | - | 1 |
contains group |
- | 1 | - | - | 1 |
contains update |
- | 1 | - | - | 1 |
contains user |
- | 1 | - | - | 1 |
contains file |
- | 1 | - | - | 1 |
AddFolderPermissions |
- | 1 | - | - | 1 |
AddedToGroup |
- | 1 | - | - | 1 |
GroupAdded |
- | 1 | - | - | 1 |
ModifyFolderPermissions |
- | 1 | - | - | 1 |
PermissionLevelAdded |
- | 1 | - | - | 1 |
Remove-ConditionalAccessPolicy |
- | 1 | - | - | 1 |
Set-ConditionalAccessPolicy |
- | 1 | - | - | 1 |
SharingSet |
- | 1 | - | - | 1 |
AppInstalled |
- | 1 | - | - | 1 |
TeamsAdminAction |
- | 1 | - | - | 1 |
contains Added |
- | 1 | - | - | 1 |
contains Created |
- | 1 | - | - | 1 |
contains Deleted |
- | 1 | - | - | 1 |
contains Removed |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has Deleted Items |
- | 5 | - | - | 5 |
has Junk Email |
- | 5 | - | - | 5 |
contains ForwardTo |
- | 4 | - | - | 4 |
has DeleteMessage |
- | 2 | - | - | 2 |
has_any ForwardTo |
- | 2 | - | - | 2 |
contains ForwardingSmtpAddress |
- | 2 | - | - | 2 |
contains RedirectTo |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SharePointFileOperation |
- | 11 | - | - | 11 |
ExchangeAdmin |
- | 8 | 1 | 1 | 10 |
MicrosoftTeams |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Succeeded |
- | 3 | - | - | 3 |
True |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has Microsoft Teams Chat Files |
- | 7 | - | - | 7 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!has Mac OS |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost) |
- | 1 | - | - | 1 |
!= app@sharepoint |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Admin |
- | 5 | - | - | 5 |
DcAdmin |
- | 3 | - | - | 3 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊