Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for OfficeActivity table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Office 365 |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AADGroupId | string | Azure Active Directory group id |
| AADTarget | string | The user that the action (identified by the Operation property) was performed on |
| Activity | string | The activity that the user performed. |
| Actor | string | The user or service principal that performed the action |
| ActorContextId | string | The GUID of the organization that the actor belongs to |
| ActorIpAddress | string | The actor's IP address in IPV4 or IPV6 address format |
| AddOnGuid | string | The unique identifier of the add-on generated this event |
| AddonName | string | The name of the add-on that generated this event |
| AddOnType | string | The type of add-on that generated this event |
| AffectedItems | string | Information about each item in the group |
| AppAccessContext | dynamic | The application context for the user or service principal that performed the action. |
| AppDistributionMode | string | Application distribution mode |
| AppId | string | Application ID |
| Application | string | The application name |
| ApplicationId | string | SharePoint application ID |
| AppPoolName | string | The App pool name |
| ArtifactsShared | dynamic | The artifacts shared in the meeting. |
| Attendees | dynamic | The list of attendees for the meeting. |
| AzureActiveDirectory_EventType | string | The type of Azure AD event |
| AzureADAppId | string | Teams Application Azure AD ID |
| ChannelGuid | string | A unique identifier for the channel being audited |
| ChannelName | string | The name of the channel being audited |
| ChannelType | string | The type of channel being audited (Standard/Private) |
| ChatName | string | The name of the chat |
| ChatThreadId | string | The Id of the chat thread |
| Client | string | Details about the client device, device OS, and device browser that was used for the of the account login event |
| Client_IPAddress | string | The IP address of the device that was used when the operation was logged |
| ClientAppId | string | Client application ID |
| ClientInfoString | string | Information about the email client that was used to perform the operation |
| ClientIP | string | The IP address of the device that was used when the activity was logged |
| ClientMachineName | string | The machine name that hosts the Outlook client |
| ClientProcessName | string | The email client that was used to access the mailbox |
| ClientVersion | string | The version of the email client |
| CommunicationType | string | The type of communications that was conducted |
| CrossMailboxOperations | bool | Indicates if the operation involved more than one mailbox |
| CustomEvent | string | Optional string for custom events |
| DataCenterSecurityEventType | int | The type of dmdlet event in lock box |
| DestFolder | string | The destination folder |
| DestinationFileExtension | string | The file extension of a file that is copied or moved |
| DestinationFileName | string | The name of the file that is copied or moved |
| DestinationRelativeUrl | string | The URL of the destination folder where a file is copied or moved |
| DestMailboxId | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerMasterAccountSid | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerSid | string | Set only if the CrossMailboxOperations parameter is True |
| DestMailboxOwnerUPN | string | Set only if the CrossMailboxOperations parameter is True |
| DeviceInformation | string | The user device information. |
| EffectiveOrganization | string | The name of the tenant that the elevation/cmdlet was targeted at |
| ElevationApprovedTime | datetime | The timestamp for when the elevation was approved |
| ElevationApprover | string | The name of a Microsoft manager |
| ElevationDuration | int | The duration for which the elevation was active (in Hours) |
| ElevationRequestId | string | A unique identifier for the elevation request |
| ElevationRole | string | The role the elevation was requested for |
| ElevationTime | datetime | The start time of the elevation |
| Event_Data | string | Optional payload for custom events |
| EventSource | string | Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel |
| ExtendedProperties | string | The extended properties of the Azure AD event |
| ExternalAccess | string | Specifies whether the cmdlet was run by a user in your organization |
| ExtraProperties | dynamic | A list of extra properties |
| Folder | string | The folder where a group of items is located |
| Folders | string | Information about the source folders involved in an operation |
| GenericInfo | string | Used for comments and other generic information |
| InternalLogonType | int | Reserved for internal use |
| InterSystemsId | string | The GUID that track the actions across components within the Office 365 service |
| IntraSystemId | string | The GUID that's generated by Azure Active Directory to track the action |
| IsJoinedFromLobby | bool | Indicates whether the user join from the lobby. |
| IsManagedDevice | bool | Indicates if operation was created by a device managed by the organization |
| Item | string | Represents the item upon which the operation was performed |
| ItemName | string | The string in the Subject field of the email message |
| ItemType | string | The type of object that was accessed or modified. See the ItemType table for details on the types of objects |
| JoinTime | datetime | The time the user joined the meeting. |
| LeaveTime | datetime | The time the user left the meeting. |
| ListItemUniqueId | string | The Guid of uniquely an identifiable item of list. This information is present only if it is applicable. |
| LoginStatus | int | This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms |
| Logon_Type | string | Indicates the type of user who accessed the mailbox and performed the operation that was logged |
| LogonUserDisplayName | string | The user-friendly name of the user who performed the operation |
| LogonUserSid | string | The SID of the user who performed the operation |
| MachineDomainInfo | string | Information about device sync operations |
| MachineId | string | Information about device sync operations |
| MailboxGuid | string | The Exchange GUID of the mailbox that was accessed |
| MailboxOwnerMasterAccountSid | string | Mailbox owner account's master account SID |
| MailboxOwnerSid | string | The SID of the mailbox owner |
| MailboxOwnerUPN | string | The email address of the person who owns the mailbox that was accessed |
| MeetingDetailId | string | The meeting detail ID. |
| Members | dynamic | A list of users within a Team |
| MessageId | string | An identifier for a chat or channel message |
| ModifiedObjectResolvedName | string | This is the user friendly name of the object that was modified by the cmdlet |
| ModifiedProperties | string | The property is included for admin events, such as adding a user as a member of a site or a site collection admin group |
| NewValue | string | Only present for settings events. New value of the setting |
| OfficeId | string | Unique identifier of an audit record |
| OfficeObjectId | string | For SharePoint and OneDrive for Business activity |
| OfficeTenantId | string | The office tenant id |
| OfficeWorkload | string | The Office 365 service where the activity occurred |
| OldValue | string | Only present for settings events. Old value of the setting |
| Operation | string | The name of the operation that the user is performing |
| OperationProperties | dynamic | Additional operation properties |
| OperationScope | string | The scope the operation was performed on |
| OrganizationId | string | The GUID for your organization's Office 365 tenant. This value will always be the same for your organization |
| OrganizationName | string | The name of the tenant |
| OriginatingServer | string | The name of the server from which the cmdlet was executed |
| Parameters | string | The name and value for all parameters that were used with the cmdlet that is identified in the Operations property |
| RecordType | string | The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records |
| ResultReasonType | string | Reason for the result reported in ResultType |
| ResultStatus | string | Indicates whether the action (specified in the Operation property) was successful or not |
| SendAsUserMailboxGuid | string | The Exchange GUID of the mailbox that was accessed to send email as |
| SendAsUserSmtp | string | SMTP address of the user who is being impersonated |
| SendonBehalfOfUserMailboxGuid | string | The Exchange GUID of the mailbox that was accessed to send mail on behalf of |
| SendOnBehalfOfUserSmtp | string | SMTP address of the user on whose behalf the email is sent |
| SensitivityLabelId | string | The current sensitivity label ID of the file. |
| SharingType | string | The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter |
| Site_ | string | The GUID of the site where the file or folder accessed by the user is located |
| Site_Url | string | The URL of the site where the file or folder accessed by the user is located |
| Source_Name | string | The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel |
| SourceFileExtension | string | The file extension of the file that was accessed by the user |
| SourceFileName | string | The name of the file or folder accessed by the user |
| SourceRecordId | string | Unique identifier of an audit record |
| SourceRelativeUrl | string | The URL of the folder that contains the file accessed by the user |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| SRPolicyId | string | Policy ID |
| SRPolicyName | string | Policy name |
| SRRuleMatchDetails | dynamic | Rule details |
| Start_Time | datetime | The date and time at which the cmdlet was executed |
| SupportTicketId | string | The customer support ticket ID for the action in 'act-on-behalf-of' situations |
| TabType | string | The type of tab that generated this event |
| TargetContextId | string | The GUID of the organization that the targeted user belongs to |
| TargetUserId | string | Target user id |
| TargetUserOrGroupName | string | Stores the UPN or name of the target user or group that a resource was shared with |
| TargetUserOrGroupType | string | Identifies whether the target user or group is a Member, Guest, Group, or Partner |
| TeamGuid | string | A unique identifier for the team being audited |
| TeamName | string | The name of the team being audited |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time in Coordinated Universal Time (UTC) when the user performed the activity |
| Type | string | The name of the table |
| UniqueSharingId | string | The unique sharing ID associated with the sharing operation. |
| UserAgent | string | The user agent |
| UserDomain | string | The domain of the user |
| UserId | string | The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged |
| UserKey | string | An alternative ID for the user identified in the UserId property |
| UserSharedWith | string | The user that a resource was shared with |
| UserType | string | The type of user that performed the operation. See the UserType table for details on the types of users |
This table is used by the following solutions:
This table is ingested by the following connectors:
Selection Criteria: OfficeWorkload in "Exchange,MicrosoftTeams,OneDrive,SharePoint"
| Connector |
|---|
| Microsoft 365 (formerly, Office 365) |
In solution Apache Log4j Vulnerability Detection:
| Analytic Rule | Selection Criteria |
|---|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC | |
| User agent search for log4j exploitation attempt |
In solution Business Email Compromise - Financial Fraud:
| Analytic Rule | Selection Criteria |
|---|---|
| Malicious BEC Inbox Rule |
In solution GreyNoiseThreatIntelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| GreyNoise TI map IP entity to OfficeActivity |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in OfficeActivity |
In solution Microsoft 365:
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Executable uploaded to SharePoint document management site | OfficeWorkload == "SharePoint" |
| Dataverse - Malware found in SharePoint document management site | OfficeWorkload == "SharePoint" |
| Dataverse - Mass download from SharePoint document management | OfficeWorkload == "SharePoint" |
| Dataverse - New user agent type that was not used with Office 365 |
In solution Network Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| New UserAgent observed in last 24 hours |
In solution SecurityThreatEssentialSolution: OfficeWorkload == "Exchange"
| Analytic Rule |
|---|
| Threat Essentials - Mail redirect via ExO transport rule |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to OfficeActivity | |
| TI map IP entity to OfficeActivity |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to OfficeActivity | |
| TI map IP entity to OfficeActivity |
In solution ThreatConnect:
| Analytic Rule | Selection Criteria |
|---|---|
| ThreatConnect TI Map URL Entity to OfficeActivity Data | |
| ThreatConnect TI map Email entity to OfficeActivity |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Anomalous login followed by Teams action | |
| Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt | |
| Europium - Hash and IP IOCs - September 2022 | |
| High risk Office operation conducted by IP Address that recently attempted to log into a disabled account | |
| Malformed user agent | |
| Mercury - Domain, Hash and IP IOCs - August 2022 | |
| Multiple Password Reset by user | OfficeWorkload == "AzureActiveDirectory" |
| NRT Malicious Inbox Rule | OfficeWorkload == "Exchange" |
| NRT Multiple users email forwarded to same destination | OfficeWorkload == "Exchange" |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Email Forwarding Configuration with SAP download | |
| Office Mail Rule Creation with suspicious archive mail move activity | OfficeWorkload == "Exchange" |
In solution Microsoft 365:
In solution Network Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Exploit and Pentest Framework User Agent |
In solution Threat Intelligence:
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to OfficeActivity Event |
In solution Threat Intelligence (NEW):
| Hunting Query | Selection Criteria |
|---|---|
| TI Map File Entity to OfficeActivity Event |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Rare domains seen in Cloud Logs | |
| Tracking Password Changes | |
| Tracking Privileged Account Rare Activity |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| New Location Sign in with Mail forwarding activity |
In solution Apache Log4j Vulnerability Detection:
| Workbook | Selection Criteria |
|---|---|
| Log4jPostCompromiseHunting |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: RecordType == "MicrosoftTeams"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DPDP Compliance: OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"RecordType in "ExchangeAdmin,SharePointFileOperation"
| Workbook |
|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security: OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"RecordType in "ExchangeAdmin,SharePointFileOperation"
| Workbook |
|---|
| GDPRComplianceAndDataSecurity |
In solution Global Secure Access: OfficeWorkload in "Exchange,OneDrive,SPO/OneDrive,SharePoint,Teams"
| Workbook |
|---|
| GSAM365EnrichedEvents |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131: OfficeWorkload == "Exchange"RecordType == "ExchangeAdmin"
| Workbook |
|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft 365:
| Workbook | Selection Criteria |
|---|---|
| ExchangeOnline | OfficeWorkload == "Exchange" |
| Office365 | OfficeWorkload in "Exchange,OneDrive,SharePoint" |
| SharePointAndOneDrive | OfficeWorkload in "OneDrive,SharePoint" |
In solution Microsoft Exchange Security - Exchange Online: RecordType == "ExchangeAdmin"
| Workbook |
|---|
| Microsoft Exchange Admin Activity - Online |
| Microsoft Exchange Search AdminAuditLog - Online |
In solution MicrosoftPurviewInsiderRiskManagement: OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"RecordType in "ExchangeAdmin,SharePointFileOperation"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights |
In solution SOX IT Compliance: OperationName has_any "Add directory role member,Add member to role,Add user,Create user,Role assignment,Update user"OperationName has_any "directory write,policy update,role assignment,role update"
| Workbook |
|---|
| SOXITCompliance |
In solution Teams: OfficeWorkload == "MicrosoftTeams"RecordType == "SharePointFileOperation"
| Workbook |
|---|
| MicrosoftTeams |
In solution ZeroTrust(TIC3.0): RecordType == "MicrosoftTeams"
| Workbook |
|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AdvancedWorkbookConcepts | |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | |
| DoDZeroTrustWorkbook | |
| ExchangeOnline | OfficeWorkload == "Exchange" |
| InvestigationInsights | |
| Log4jPostCompromiseHunting | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| MicrosoftTeams | OfficeWorkload == "MicrosoftTeams"RecordType == "SharePointFileOperation" |
| Office365 | OfficeWorkload in "Exchange,OneDrive,SharePoint" |
| SharePointAndOneDrive | OfficeWorkload in "OneDrive,SharePoint" |
| SolarWindsPostCompromiseHunting | OfficeWorkload == "Exchange"OperationName == "Add member to group"OperationName in "Set domain authentication,Set federation settings on domain"OperationName has_any "Add service principal,Certificatessecrets management" |
| ZeroTrustStrategyWorkbook |
RecordType == "ExchangeAdmin"| Parser | Schema | Product |
|---|---|---|
| ASimAuditEventMicrosoftExchangeAdmin365 | AuditEvent | Microsoft SharePoint |
RecordType == "ExchangeAdmin"| Parser | Solution |
|---|---|
| MESOfficeActivityLogs | Microsoft Exchange Security - Exchange Online |
References by type: 1 connectors, 51 content items, 1 ASIM parsers, 1 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
OfficeWorkload == "Exchange" |
- | 15 | - | - | 15 |
OfficeWorkload == "MicrosoftTeams" |
- | 8 | - | - | 8 |
RecordType == "ExchangeAdmin" |
- | 4 | 1 | 1 | 6 |
RecordType == "SharePointFileOperation" |
- | 5 | - | - | 5 |
OfficeWorkload == "MicrosoftTeams"RecordType == "SharePointFileOperation" |
- | 3 | - | - | 3 |
OfficeWorkload == "SharePoint" |
- | 3 | - | - | 3 |
OfficeWorkload has_any "OneDrive,SharePoint" |
- | 2 | - | - | 2 |
RecordType == "MicrosoftTeams" |
- | 2 | - | - | 2 |
OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"OfficeWorkload has_any "OneDrive,SharePoint"RecordType in "ExchangeAdmin,SharePointFileOperation" |
- | 2 | - | - | 2 |
OfficeWorkload in "Exchange,MicrosoftTeams,OneDrive,SharePoint" |
1 | - | - | - | 1 |
OfficeWorkload == "AzureActiveDirectory" |
- | 1 | - | - | 1 |
OfficeWorkload in "Exchange,OneDrive,SPO/OneDrive,SharePoint,Teams" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"RecordType == "ExchangeAdmin" |
- | 1 | - | - | 1 |
OfficeWorkload in "Exchange,OneDrive,SharePoint" |
- | 1 | - | - | 1 |
OfficeWorkload in "OneDrive,SharePoint" |
- | 1 | - | - | 1 |
OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"RecordType in "ExchangeAdmin,SharePointFileOperation" |
- | 1 | - | - | 1 |
OperationName has_any "Add directory role member,Add member to role,Add user,Create user,Role assignment,Update user"OperationName has_any "directory write,policy update,role assignment,role update" |
- | 1 | - | - | 1 |
| Total | 1 | 51 | 1 | 1 | 54 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Exchange |
1 | 21 | - | - | 22 |
MicrosoftTeams |
1 | 14 | - | - | 15 |
SharePoint |
1 | 6 | - | - | 7 |
has_any OneDrive |
- | 7 | - | - | 7 |
OneDrive |
1 | 3 | - | - | 4 |
has_any SharePoint |
- | 4 | - | - | 4 |
AzureActiveDirectory |
- | 4 | - | - | 4 |
has_any Exchange |
- | 3 | - | - | 3 |
SPO/OneDrive |
- | 1 | - | - | 1 |
Teams |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any Add directory role member |
- | 1 | - | - | 1 |
has_any Add member to role |
- | 1 | - | - | 1 |
has_any Add user |
- | 1 | - | - | 1 |
has_any Create user |
- | 1 | - | - | 1 |
has_any Role assignment |
- | 1 | - | - | 1 |
has_any Update user |
- | 1 | - | - | 1 |
has_any directory write |
- | 1 | - | - | 1 |
has_any policy update |
- | 1 | - | - | 1 |
has_any role assignment |
- | 1 | - | - | 1 |
has_any role update |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SharePointFileOperation |
- | 11 | - | - | 11 |
ExchangeAdmin |
- | 8 | 1 | 1 | 10 |
MicrosoftTeams |
- | 2 | - | - | 2 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊