Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Events involving accounts and objects in Office 365 and other cloud apps and services
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountDisplayName | string | Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
| AccountId | string | An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers |
| AccountObjectId | string | Unique identifier for the account in Azure AD |
| AccountType | string | Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application |
| ActionType | string | Type of activity that triggered the event |
| ActivityObjects | dynamic | List of objects, such as files or folders, that were involved in the recorded activity |
| ActivityType | string | Type of activity that triggered the event |
| AdditionalFields | dynamic | Additional information about the entity or event |
| AppInstanceId | int | Unique identifier for the instance of an application |
| Application | string | Application that performed the recorded action |
| ApplicationId | int | Unique identifier for the application |
| AuditSource | string | Cloud enviorment source of the cloud audit event. Cloud be Azure, AWS, GCP, AliCloud or other |
| City | string | City where the client IP address is geolocated |
| CountryCode | string | Two-letter code indicating the country where the client IP address is geolocated |
| DeviceType | string | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
| IPAddress | string | IP address assigned to the device during communication |
| IPCategory | string | Additional information about the IP address |
| IPTags | dynamic | Customer-defined information applied to specific IP addresses and IP address ranges |
| IsAdminOperation | bool | Indicates whether the activity was performed by an administrator |
| IsAnonymousProxy | bool | Indicates whether the IP address belongs to a known anonymous proxy |
| IsExternalUser | bool | Indicates whether a user inside the network doesn't belong to the organization's domain |
| IsImpersonated | bool | Indicates whether the activity was performed by one user for another (impersonated) user |
| ISP | string | Internet service provider associated with the IP address |
| LastSeenForUser | dynamic | Number of days since each statistical feature for the user was last seen |
| OAuthAppId | string | A unique identifier that's assigned to an application when it's registered to Entra with OAuth 2.0. |
| ObjectId | string | Unique identifier of the object that the recorded action was applied to |
| ObjectName | string | Name of the object that the recorded action was applied to |
| ObjectType | string | The type of object, such as a file or a folder, that the recorded action was applied to |
| OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| RawEventData | dynamic | Raw event information from the source application or service in JSON format |
| ReportId | string | Unique identifier for the event |
| SessionData | dynamic | Session identifiers (if provided by the audit source) |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
| UncommonForUser | dynamic | List of features observed to be statistically uncommon for the user that performed the activity |
| UserAgent | string | User agent information from the web browser or other client application |
| UserAgentTags | dynamic | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Unusual Volume of file deletion by users |
In solution Threat Intelligence:
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Domain entity to Cloud App Events | |
| TI map Email entity to Cloud App Events | |
| TI map IP entity to Cloud App Events | |
| TI map URL entity to Cloud App Events |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Mass Download & copy to USB device by single user |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| AIR investigation actions insight | ActionType == "AirInvestigationData" |
| Admin Submission Trend (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submission Trend (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Detection Type | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Phish FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Spam FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by Grading verdict (FN-FP) | ActionType contains "AdminSubmissionTriage" |
| Admin Submissions by Submission State (FN) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission State (FP) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission Type (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Submission Type (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| BEC - File sharing tactics - Dropbox | ActionType in "Added users and/or groups to shared file/folder,Invited user to Dropboxadded them to shared file/folder" |
| BEC - File sharing tactics - OneDrive or SharePoint | ActionType in "AddedToSecureLink,SecureLinkCreated" |
| Calculate overall MDO efficacy | ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery" |
| File Malware Detection Trend | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Anti Virus) | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Safe Attachments) | ActionType == "FileMalwareDetected" |
| MDO Threat Protection Detections trend over time | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| Malware detections by Workload Locations | ActionType == "FileMalwareDetected" |
| Malware detections by Workload Type | ActionType == "FileMalwareDetected" |
| Teams Admin submission of Malware and Phish daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin submission of No Threats daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin-User Submissions Grading Verdicts | ActionType in "AdminSubmissionTriage,UserSubmissionTriage" |
| Top 10 Detection Overrides - Admin Email Submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing admin submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing admin submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing user submissions | ActionType == "UserSubmission" |
| Total Submissions by Submission Type | ActionType in "AdminSubmission,UserSubmission" |
| Total Submissions by Submission Type | ActionType in "AdminSubmission,UserSubmission" |
| Total number of detections by MDO | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| Unusual Volume of file deletion by users | |
| User Email Submission Trend (FN) | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Admins | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Users | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org P2 Senders | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org Subjects | ActionType == "UserSubmission" |
| User Email Submissions (FN) by Submission Type | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN-FP) by Grading verdict | ActionType contains "UserSubmissionTriage" |
| User Email Submissions accuracy vs Admin review verdict | ActionType in "SubmissionNotification,UserSubmission" |
| User Email Submissions by Admin review status (Mark and Notify) | ActionType in "SubmissionNotification,UserSubmission" |
| User email submissions (FN) from Junk Folder | ActionType == "UserSubmission" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| ADFSDomainTrustMods[Nobelium] | ActionType in "Set domain authentication.,Set federation settings on domain." |
| AIR investigation actions insight | ActionType == "AirInvestigationData" |
| ATP policy status check | ActionType == "Set-AtpPolicyForO365" |
| ATP policy status check | ActionType == "Set-AtpPolicyForO365" |
| Add uncommon credential type to application [Nobelium] | ActionType in "Add service principal credentials.,Update application - Certificatessecrets management" |
| AddedCredentialFromContryXAndSigninFromCountryY | ActionType in "Add service principal credentials.,Update application - Certificatessecrets management" |
| Admin Submission Trend (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submission Trend (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Detection Type | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Phish FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by DetectionMethod (Spam FP) | ActionType == "AdminSubmissionSubmitted" |
| Admin Submissions by Grading verdict (FN-FP) | ActionType contains "AdminSubmissionTriage" |
| Admin Submissions by Submission State (FN) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission State (FP) | ActionType contains "AdminSubmission" |
| Admin Submissions by Submission Type (FN) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Admin Submissions by Submission Type (FP) | ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
| Anomaly of MailItemAccess by GraphAPI [Nobelium] | ActionType == "MailItemsAccessed" |
| Anomaly of MailItemAccess by Other Users Mailbox [Nobelium] | ActionType == "MailItemsAccessed" |
| Audit Email Preview-Download action | |
| Audit Email Preview-Download action | |
| BEC - File sharing tactics - Dropbox | ActionType in "Added users and/or groups to shared file/folder,Invited user to Dropboxadded them to shared file/folder" |
| BEC - File sharing tactics - OneDrive or SharePoint | ActionType in "AddedToSecureLink,SecureLinkCreated" |
| Calculate overall MDO efficacy | ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery" |
| Changes to Blocked Teams Domains | ActionType == "TeamsAdminAction" |
| Changes to Blocked Teams Domains (NRT) | ActionType == "TeamsAdminAction" |
| Copilot Studio AI Agents - Dormant Author Authentication Connection | ActionType == "CopilotInteraction" |
| Copilot Studio AI Agents - Published Dormant (30d) | ActionType == "CopilotInteraction" |
| CredentialsAddAfterAdminConsentedToApp[Nobelium] | ActionType in "Add service principal credentials.,Consent to application.,Update application - Certificatessecrets management" |
| Email containing malware accessed on a unmanaged device | |
| Email containing malware accessed on a unmanaged device | |
| File Malware Detection Trend | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Anti Virus) | ActionType == "FileMalwareDetected" |
| File Malware by Top Malware Families (Safe Attachments) | ActionType == "FileMalwareDetected" |
| Group quarantine release | ActionType == "QuarantineReleaseMessage" |
| Group quarantine release | ActionType == "QuarantineReleaseMessage" |
| High Confidence Phish Released | ActionType == "QuarantineReleaseMessage" |
| High Confidence Phish Released | ActionType == "QuarantineReleaseMessage" |
| Hunt for Admin email access | ActionType == "AdminMailAccess" |
| Hunt for Admin email access | ActionType == "AdminMailAccess" |
| Hunt for TABL changes | ActionType contains "TenantAllowBlockListItems" |
| Hunt for TABL changes | ActionType contains "TenantAllowBlockListItems" |
| Inbox rule changes which forward-redirect email | ActionType contains "Set-InboxRule" |
| Inbox rule changes which forward-redirect email | ActionType contains "Set-InboxRule" |
| Integrate Purview with Cloud App Events | |
| MDO Threat Protection Detections trend over time | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| MDO daily detection summary report | ActionType in "AdminSubmission,UserSubmission"ActionType contains "ZAP" |
| MDO daily detection summary report | ActionType in "AdminSubmission,UserSubmission"ActionType contains "ZAP" |
| Mail item accessed | |
| Mail item accessed | |
| MailItemsAccessed Throttling [Nobelium] | ActionType == "MailItemsAccessed" |
| MailItemsAccessedTimeSeries[Solarigate] | ActionType == "MailItemsAccessed" |
| MailPermissionsAddedToApplication[Nobelium] | ActionType in "Add delegated permission grant.,Consent to application." |
| Malware detections by Workload Locations | ActionType == "FileMalwareDetected" |
| Malware detections by Workload Type | ActionType == "FileMalwareDetected" |
| Multiple Entra ID Admin Removals | ActionType in "Remove eligible member from role.,Remove member from role." |
| New TABL Items | ActionType == "New-TenantAllowBlockListItems" |
| New TABL Items | ActionType == "New-TenantAllowBlockListItems" |
| NewAppOrServicePrincipalCredential[Nobelium] | ActionType in "Add service principal credentials.,Add service principal.,Update application Certificatessecrets management" |
| Number of unique accounts performing Teams message Admin submissions | ActionType == "AdminSubmissionSubmitted" |
| Number of unique accounts performing Teams message Admin submissions | ActionType == "AdminSubmissionSubmitted" |
| Number of unique accounts performing Teams message User submissions | ActionType == "UserSubmission" |
| Number of unique accounts performing Teams message User submissions | ActionType == "UserSubmission" |
| OAuth Apps accessing user mail via GraphAPI [Nobelium] | ActionType == "MailItemsAccessed" |
| OAuth Apps reading mail both via GraphAPI and directly [Nobelium] | ActionType == "MailItemsAccessed" |
| OAuth Apps reading mail via GraphAPI anomaly [Nobelium] | ActionType == "MailItemsAccessed" |
| Policy configuration changes for CloudApp Events | ActionType in "Add owner to policy.,Add policy to service principal.,Add policy.,Delete policy.,Remove-CrossTenantAccessPolicy,Remove-LabelPolicy,Update authorization policy.,Update policy.,Write PolicyAssignments,Write PolicyExemptions" |
| Quarantine Release Email Details | ActionType == "QuarantineReleaseMessage" |
| Quarantine Release Email Details | ActionType == "QuarantineReleaseMessage" |
| Quarantine release trend | ActionType == "QuarantineReleaseMessage" |
| Quarantine release trend | ActionType == "QuarantineReleaseMessage" |
| Risky Sign-in with Device Registration | ActionType == "Add registered owner to device." |
| Risky Sign-in with ElevateAccess | |
| Risky Sign-in with new MFA method | ActionType == "Update user." |
| ServicePrincipalAddedToRole [Nobelium] | ActionType == "Add member to role." |
| Status of submissions | ActionType in "AdminSubmission,UserSubmission" |
| Suspicious sign-in attempts from QR code phishing campaigns | ActionType == "MailItemsAccessed" |
| Suspicious sign-in attempts from QR code phishing campaigns | ActionType == "MailItemsAccessed" |
| Teams Admin submission of Malware and Phish daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin submission of No Threats daily trend | ActionType == "AdminSubmissionSubmitted" |
| Teams Admin-User Submissions Grading Verdicts | ActionType in "AdminSubmissionTriage,UserSubmissionTriage" |
| Teams User submissions daily trend | ActionType == "UserSubmission" |
| Teams User submissions daily trend | ActionType == "UserSubmission" |
| Top 10 Detection Overrides - Admin Email Submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin Teams message submissions FN | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin Teams message submissions FN | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Admin email submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top 10 sender domains - Teams user submissions FN or FP | ActionType == "UserSubmission" |
| Top 10 sender domains - Teams user submissions FN or FP | ActionType == "UserSubmission" |
| Top 10 senders - Teams users submissions FN or FP | ActionType == "UserSubmission" |
| Top 10 senders - Teams users submissions FN or FP | ActionType == "UserSubmission" |
| Top 10 senders of Admin Teams message submissions FN | ActionType == "AdminSubmissionSubmitted" |
| Top 10 senders of Admin Teams message submissions FN | ActionType == "AdminSubmissionSubmitted" |
| Top 10 senders of Admin Teams message submissions FP | ActionType == "AdminSubmissionSubmitted" |
| Top 10 senders of Admin Teams message submissions FP | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing Teams admin submissions FN or FP | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing Teams admin submissions FN or FP | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing Teams user submissions FN or FP | ActionType == "UserSubmission" |
| Top accounts performing Teams user submissions FN or FP | ActionType == "UserSubmission" |
| Top accounts performing admin submissions (FN) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing admin submissions (FP) | ActionType == "AdminSubmissionSubmitted" |
| Top accounts performing user submissions | ActionType == "UserSubmission" |
| Total Submissions by Submission State | ActionType in "AdminSubmission,UserSubmission" |
| Total Submissions by Submission Type | ActionType in "AdminSubmission,UserSubmission" |
| Total number of detections by MDO | ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
| Unusual volume of file deletion by user. | |
| UpdateStsRefreshToken[Solorigate] | ActionType == "Update StsRefreshTokenValidFrom Timestamp." |
| User Email Submission Trend (FN) | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Admins | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Detection Overrides by Users | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org P2 Senders | ActionType == "UserSubmission" |
| User Email Submissions (FN) - Top Intra-Org Subjects | ActionType == "UserSubmission" |
| User Email Submissions (FN) by Submission Type | ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
| User Email Submissions (FN-FP) by Grading verdict | ActionType contains "UserSubmissionTriage" |
| User Email Submissions accuracy vs Admin review verdict | ActionType in "SubmissionNotification,UserSubmission" |
| User Email Submissions by Admin review status (Mark and Notify) | ActionType in "SubmissionNotification,UserSubmission" |
| User email submissions (FN) from Junk Folder | ActionType == "UserSubmission" |
| User reported submissions | ActionType == "UserSubmission" |
| User reported submissions | ActionType == "UserSubmission" |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR: ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,FileMalwareDetected,Malware ZAP,Phish ZAP,Redelivery,Spam ZAP,SubmissionNotification,UserSubmission"ActionType contains "AdminSubmission"ActionType contains "AdminSubmissionTriage"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "UserSubmissionTriage"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| CopilotforSecurityMonitoring | ActionType in "Register Microsoft.SecurityCopilot,Write Capacities" |
| DoDZeroTrustWorkbook | ActionType == "Add service principal." |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| ZeroTrustStrategyWorkbook | ActionType == "Add service principal." |
References by type: 0 connectors, 153 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "AdminSubmissionSubmitted" |
- | 30 | - | - | 30 |
ActionType == "UserSubmission" |
- | 24 | - | - | 24 |
ActionType == "FileMalwareDetected" |
- | 10 | - | - | 10 |
ActionType == "MailItemsAccessed" |
- | 9 | - | - | 9 |
ActionType == "QuarantineReleaseMessage" |
- | 8 | - | - | 8 |
ActionType == "AdminSubmissionSubmitted"ActionType contains "Submission" |
- | 8 | - | - | 8 |
ActionType in "AdminSubmission,UserSubmission" |
- | 5 | - | - | 5 |
ActionType in "AdminSubmission,Malware ZAP,Phish ZAP,UserSubmission" |
- | 4 | - | - | 4 |
ActionType contains "AdminSubmission" |
- | 4 | - | - | 4 |
ActionType in "SubmissionNotification,UserSubmission" |
- | 4 | - | - | 4 |
ActionType in "AttackSimUserSubmission,UserSubmission"ActionType contains "UserSubmission" |
- | 4 | - | - | 4 |
ActionType == "Set-AtpPolicyForO365" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmissionSubmitted,Malware ZAP,Phish ZAP,Redelivery" |
- | 2 | - | - | 2 |
ActionType == "AdminMailAccess" |
- | 2 | - | - | 2 |
ActionType contains "TenantAllowBlockListItems" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmission,UserSubmission"ActionType contains "ZAP" |
- | 2 | - | - | 2 |
ActionType == "New-TenantAllowBlockListItems" |
- | 2 | - | - | 2 |
ActionType in "Added users and/or groups to shared file/folder,Invited user to Dropboxadded them to shared file/folder" |
- | 2 | - | - | 2 |
ActionType in "AddedToSecureLink,SecureLinkCreated" |
- | 2 | - | - | 2 |
ActionType contains "Set-InboxRule" |
- | 2 | - | - | 2 |
ActionType in "AdminSubmissionTriage,UserSubmissionTriage" |
- | 2 | - | - | 2 |
ActionType == "AirInvestigationData" |
- | 2 | - | - | 2 |
ActionType contains "AdminSubmissionTriage" |
- | 2 | - | - | 2 |
ActionType contains "UserSubmissionTriage" |
- | 2 | - | - | 2 |
ActionType in "Add service principal credentials.,Update application - Certificatessecrets management" |
- | 2 | - | - | 2 |
ActionType == "TeamsAdminAction" |
- | 2 | - | - | 2 |
ActionType == "CopilotInteraction" |
- | 2 | - | - | 2 |
ActionType in "Add owner to policy.,Add policy to service principal.,Add policy.,Delete policy.,Remove-CrossTenantAccessPolicy,Remove-LabelPolicy,Update authorization policy.,Update policy.,Write PolicyAssignments,Write PolicyExemptions" |
- | 1 | - | - | 1 |
ActionType in "Set domain authentication.,Set federation settings on domain." |
- | 1 | - | - | 1 |
ActionType in "Add delegated permission grant.,Consent to application." |
- | 1 | - | - | 1 |
ActionType == "Update StsRefreshTokenValidFrom Timestamp." |
- | 1 | - | - | 1 |
ActionType in "Add service principal credentials.,Consent to application.,Update application - Certificatessecrets management" |
- | 1 | - | - | 1 |
ActionType in "Remove eligible member from role.,Remove member from role." |
- | 1 | - | - | 1 |
ActionType in "Add service principal credentials.,Add service principal.,Update application Certificatessecrets management" |
- | 1 | - | - | 1 |
ActionType == "Add registered owner to device." |
- | 1 | - | - | 1 |
ActionType == "Update user." |
- | 1 | - | - | 1 |
ActionType == "Add member to role." |
- | 1 | - | - | 1 |
ActionType in "AdminSubmissionSubmitted,AttackSimUserSubmission,FileMalwareDetected,Malware ZAP,Phish ZAP,Redelivery,Spam ZAP,SubmissionNotification,UserSubmission"ActionType contains "AdminSubmission"ActionType contains "AdminSubmissionTriage"ActionType contains "Submission"ActionType contains "UserSubmission"ActionType contains "UserSubmissionTriage" |
- | 1 | - | - | 1 |
| Total | 0 | 153 | 0 | 0 | 153 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
UserSubmission |
- | 44 | - | - | 44 |
AdminSubmissionSubmitted |
- | 41 | - | - | 41 |
AdminSubmission |
- | 11 | - | - | 11 |
FileMalwareDetected |
- | 11 | - | - | 11 |
MailItemsAccessed |
- | 9 | - | - | 9 |
contains Submission |
- | 9 | - | - | 9 |
QuarantineReleaseMessage |
- | 8 | - | - | 8 |
Malware ZAP |
- | 7 | - | - | 7 |
Phish ZAP |
- | 7 | - | - | 7 |
contains AdminSubmission |
- | 5 | - | - | 5 |
SubmissionNotification |
- | 5 | - | - | 5 |
AttackSimUserSubmission |
- | 5 | - | - | 5 |
contains UserSubmission |
- | 5 | - | - | 5 |
Add service principal credentials. |
- | 4 | - | - | 4 |
Redelivery |
- | 3 | - | - | 3 |
contains AdminSubmissionTriage |
- | 3 | - | - | 3 |
contains UserSubmissionTriage |
- | 3 | - | - | 3 |
Update application - Certificates |
- | 3 | - | - | 3 |
Set-AtpPolicyForO365 |
- | 2 | - | - | 2 |
AdminMailAccess |
- | 2 | - | - | 2 |
contains TenantAllowBlockListItems |
- | 2 | - | - | 2 |
contains ZAP |
- | 2 | - | - | 2 |
New-TenantAllowBlockListItems |
- | 2 | - | - | 2 |
Added users and/or groups to shared file/folder |
- | 2 | - | - | 2 |
Invited user to Dropbox |
- | 2 | - | - | 2 |
AddedToSecureLink |
- | 2 | - | - | 2 |
SecureLinkCreated |
- | 2 | - | - | 2 |
contains Set-InboxRule |
- | 2 | - | - | 2 |
AdminSubmissionTriage |
- | 2 | - | - | 2 |
UserSubmissionTriage |
- | 2 | - | - | 2 |
AirInvestigationData |
- | 2 | - | - | 2 |
Consent to application. |
- | 2 | - | - | 2 |
TeamsAdminAction |
- | 2 | - | - | 2 |
CopilotInteraction |
- | 2 | - | - | 2 |
Add owner to policy. |
- | 1 | - | - | 1 |
Add policy to service principal. |
- | 1 | - | - | 1 |
Add policy. |
- | 1 | - | - | 1 |
Delete policy. |
- | 1 | - | - | 1 |
Remove-CrossTenantAccessPolicy |
- | 1 | - | - | 1 |
Remove-LabelPolicy |
- | 1 | - | - | 1 |
Update authorization policy. |
- | 1 | - | - | 1 |
Update policy. |
- | 1 | - | - | 1 |
Write PolicyAssignments |
- | 1 | - | - | 1 |
Write PolicyExemptions |
- | 1 | - | - | 1 |
Set domain authentication. |
- | 1 | - | - | 1 |
Set federation settings on domain. |
- | 1 | - | - | 1 |
Add delegated permission grant. |
- | 1 | - | - | 1 |
Update StsRefreshTokenValidFrom Timestamp. |
- | 1 | - | - | 1 |
Remove eligible member from role. |
- | 1 | - | - | 1 |
Remove member from role. |
- | 1 | - | - | 1 |
Add service principal. |
- | 1 | - | - | 1 |
Update application Certificates |
- | 1 | - | - | 1 |
Add registered owner to device. |
- | 1 | - | - | 1 |
Update user. |
- | 1 | - | - | 1 |
Add member to role. |
- | 1 | - | - | 1 |
Spam ZAP |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊