A comma-separated string of plan ids queried. The location of the document with respect to the user's device. If startTime and endTime were not specified in the original request, they will be set to reflect the 24-hour interval that preceded the original request. This information is present only if it is applicable. Note that SharePoint is the only workload currently sending events from on-premises to O365. Information about files attached to the email message. The duration for which the elevation was active. User checks in a project that they checked out from a Project Web App. Azure Active Directory OrgId logon events (deprecated). The guid of the DLP policy for this event. The topic did not answer my question(s) High confidence Phish policy action in Anti-spam policy. The threats and the corresponding detection technologies. The data set we will be analyzing today is the o365:management:activity sourcetype. Extends the Common schema with the properties specific to all Exchange mailbox audit data. The sensitivity label is automatically applied and is allowed to override a privileged label assignment. The operation type for the audit log.The name of the user or admin activity. Indicates if the given count and confidence level of the sensitive type detected results in a DLP rule match. User forces a check in on a project in Project Web App. A survey is a special type of form that includes additional features such as CMS integration and support for Flow rules. The Yammer events listed in Search the audit log in the Security & Compliance Center will use this schema. Aggregated Exchange mailbox auditing events. The GUID that represents the application that is requesting the login. Stores the UPN or name of the target user or group that a resource was shared with. This property is displayed only for FileCopied and FileMoved events. The email client that was used to access the mailbox. Extends the Common schema with the properties specific to all Power BI events. For Exchange it includes false positive and override information. The Exchange GUID of the mailbox that was accessed. Each object will include the same properties returned by the /content operation, together with the GUID of the tenant to which the data belongs and the GUID of your application that created the subscriptions. Represents a security permission template. Version of the Azure Information Protection client that performed the audit action. This property is blank if the object that was accessed is a folder. The API relies on Azure AD and the OAuth2 protocol for authentication and authorization. The user that a resource was shared with. Admin submission system submitted the email. In Register an application, enter a meaningful application name to display to users; this doesn't have to match Splunk. The value associated with the specific auth check, such as True or False. User accepts an invitation to share a file or folder. User shares a file or folder located in SharePoint or OneDrive for Business with another user inside their organization. New UI for OneDrive for Business has been enabled. The URL will contain the same startTime and endTime parameters that were specified in the original request, together with a parameter indicating the internal ID of the next page. Source types for the Splunk Add-on for Microsoft Office 365. Splunk Add-on for Microsoft Cloud Services. The timestamp for when the elevation was approved. Users can check out and make changes to documents that have been shared with them. User deleted a security delegate in Project Web App. Indicates whether the email was set to allowed or blocked based on the override. Adding a person to a group grants the user the permissions that were assigned to the group. All organizations are initially allocated a baseline of 2,000 requests per minute. Sourcetype=o365: management:activity Workload=AzureActiveDirectory The URL for the API endpoint that you use is based on the type of Microsoft 365 or Office 365 subscription plan for your organization. The User Principal Name (UPN) of the user who performed the action (specified in the Operation property) that resulted in the record being logged. There can be one or more admins in the organization. Email of target user in the operation. If we do not receive an HTTP 200 OK response, the subscription will not be created. Id of the container associated with the plan. If we encounter excessive failures when sending notifications, our retry mechanism will exponentially increase the time between retries. The message was considered bad due to a previous malicious URL detonation. The type of collaboration allowed on sites (for example, intranet, extranet, or public) has been modified. Indicates the type of data import failure. In-Place Holds are managed by using an eDiscovery site collection (such as the eDiscovery Center) in SharePoint. Extends the Common schema with the properties specific to all Microsoft Teams events. The scope filter URI for the dataset in the consent operation. Please select Expected type: {1}. The machine name that hosts the Outlook client. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. Details about what conditions of the rule were matched for this event. The name of the file or folder accessed by the user. User checks in a document that they checked out from a SharePoint or OneDrive for Business document library. List of admin users the invite was sent to. The Microsoft Forms events listed in Search the audit log in the Office 365 Security & Compliance Center will use this schema. The following table contain information related to AIP heartbeat events. User restores a document from the recycle bin of a SharePoint or OneDrive for Business site. The Exchange Online Protection service plan assigned to the user that executed the cmdlet. 2005 - 2023 Splunk Inc. All rights reserved. The Workplace Analytics role of the user who performed the action. Please try to keep this discussion focused on the content covered in this documentation topic. JSON array - The notifications will be represented by JSON objects with the following properties: Header to specify the desired language for localized names. Hi @vrajshekar . The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. Email campaign events from Microsoft Defender for Office 365. Has anyone similar problem? Outlook, msip.app, WinWord. The authentication checks that are done for the email. We recommend that you use the new ThreatsAndDetectionTech field because it shows multiple verdicts and the updated detection technologies. Microsoft Planner's ObjectId definition is bound to each Microsoft Planner's record type and will be illustrated individually. Events related to sensitivity labels applied to Office documents. After you create a subscription, you can poll regularly to discover new content blobs that are available for download, or you can register a webhook endpoint with the subscription and we will send notifications to this endpoint as new content blobs are available. Stores the datatype of the Sensitive Info type data. This does not include viewing document library files from a SharePoint site or One Drive for Business site on a browser. The role of the user who performed the action. The file share-related SharePoint events. A data platform built for expansive data access, powerful analytics and automation, Cloud-powered insights for petabyte-scale data analytics across the hybrid cloud, Search, analysis and visualization for actionable insights from all of your data, Analytics-driven SIEM to quickly detect and respond to threats, Security orchestration, automation and response to supercharge your SOC, Instant visibility and accurate alerts for improved hybrid cloud performance, Full-fidelity tracing and always-on profiling to enhance app performance, AIOps, incident intelligence and full visibility to ensure service performance, Transform your business in the cloud with Splunk, Build resilience to meet todays unpredictable business challenges, Deliver the innovative and seamless experiences your customers expect. The IP address of the device that was used when the activity was logged. Splunk Application Performance Monitoring, Release notes for the Splunk Add-on for Microsoft Office 365, Release history for the Splunk Add-on for Microsoft Office 365, Hardware and software requirements for the Splunk Add-on for Microsoft Office 365, Installation and configuration overview for the Splunk Add-on for Microsoft Office 365, Install the Splunk Add-on for Microsoft Office 365, Upgrade the Splunk Add-on for Microsoft Office 365, Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365, Configure a Tenant in the Splunk Add-on for Microsoft Office 365, Configure Inputs for the Splunk Add-on for Microsoft Office 365, Configure Office 365 Management APIs inputs for the Splunk Add-on for Microsoft Office 365, Configure optional settings for the Splunk Add-on for Microsoft Office 365, Configure Message Trace Input for the Splunk Add-on for Microsoft Office 365, Troubleshoot the Splunk Add-on for Microsoft Office 365, Performance reference for the Management Activity input in the Splunk Add-on for Microsoft Office 365. Question -> are these both pertain to same set logs and I am doubling up ? The authentication method is a one-time code. The Guid of the policy that triggered the alert. The internet message ID of the email message. User deletes a timesheet in Project Web App. Id of the environment where action was performed. User submits a status update of one or more tasks in Project Web App. An identifier that can be used to correlate a specific user's actions across Microsoft 365 services. The current sensitivity label ID of the file. Extends the Common schema with the properties specific to Defender for Office 365 and threat investigation and response data. The notification system sends notifications as new content becomes available. Policy action is to add X-header to the email message. The Office 365 Management Activity API schema is provided as a data service in two layers: Common schema. Global administrator adds a user agent to the list of exempt user agents in the SharePoint admin center. The folder where a group of items is located. The body of the request will contain an array of one or more JSON objects that represent the available content blobs. Indicates data will be downloaded from Canonical store. UserAgent might not be present in case of a system generated event. The UPN of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. The URL of the folder that contains the file accessed by the user. Events related to HR data signals that support the Insider risk management solution. The additional actions that were taken on the email, such as ZAP or Manual Remediation. Events related to outbound spam protection. For more information, see the app@sharepoint user in audit records. User rejects a timesheet in Project Web App. The IP address is displayed in either an IPv4 or IPv6 address format. Events related to the application of information barrier policies. Indicates the value for the attribute that is the primary field for the entity. DlpInfo - These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation but no action was "undone.". Common schema is sourced from product data that is owned by each product team, such as Exchange, SharePoint, Azure Active Directory, Yammer, and OneDrive for Business. The relevant process name, eg. The user requested failed due to failed authorization. Extends the Common schema with the properties specific to all quarantine events. For more information, see, Learn about encrypted message portal logs. You must be logged into splunk.com in order to post comments. Unique identifier of the item (for example, an email message) being imported. The email address of the person who owns the mailbox that was accessed. Policy action is to redirect email message to email address specificed by the filtering policy. The mail may have been encrypted manually with a sensitivity label or an RMS template, or automatically by a transport rule, a Data Loss Prevention policy, or an auto-labeling policy. Forms that are created with the New Form option. The network message id of quarantined email message. Events related to manual investigations in Automated investigation and response (AIR).