| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| _ResourceId |
A unique identifier for the resource that the record is associated with |
String |
| _SubscriptionId |
A unique identifier for the subscription that the record is associated with |
String |
| AADGroupId |
Azure Active Directory group id |
String |
| AADTarget |
The user that the action (identified by the Operation property) was performed on |
String |
| Activity |
The activity that the user performed. |
String |
| Actor |
The user or service principal that performed the action |
String |
| ActorContextId |
The GUID of the organization that the actor belongs to |
String |
| ActorIpAddress |
The actor’s IP address in IPV4 or IPV6 address format |
String |
| AddOnGuid |
The unique identifier of the add-on generated this event |
String |
| AddonName |
The name of the add-on that generated this event |
String |
| AddOnType |
The type of add-on that generated this event |
String |
| AffectedItems |
Information about each item in the group |
String |
| AppDistributionMode |
Application distribution mode |
String |
| AppId |
Application ID |
String |
| Application |
The application name |
String |
| ApplicationId |
SharePoint application ID |
String |
| AppPoolName |
The App pool name |
String |
| AzureActiveDirectory_EventType |
The type of Azure AD event |
String |
| AzureADAppId |
Teams Application Azure AD ID |
String |
| ChannelGuid |
A unique identifier for the channel being audited |
String |
| ChannelName |
The name of the channel being audited |
String |
| ChannelType |
The type of channel being audited (Standard/Private) |
String |
| ChatName |
The name of the chat |
String |
| ChatThreadId |
The Id of the chat thread |
String |
| Client |
Details about the client device, device OS, and device browser that was used for the of the account login event |
String |
| Client_IPAddress |
The IP address of the device that was used when the operation was logged |
String |
| ClientAppId |
Client application ID |
String |
| ClientInfoString |
Information about the email client that was used to perform the operation |
String |
| ClientIP |
The IP address of the device that was used when the activity was logged |
String |
| ClientMachineName |
The machine name that hosts the Outlook client |
String |
| ClientProcessName |
The email client that was used to access the mailbox |
String |
| ClientVersion |
The version of the email client |
String |
| CommunicationType |
The type of communications that was conducted |
String |
| CrossMailboxOperations |
Indicates if the operation involved more than one mailbox |
Boolean |
| CustomEvent |
Optional string for custom events |
String |
| DataCenterSecurityEventType |
The type of dmdlet event in lock box |
Int32 |
| DestFolder |
The destination folder |
String |
| DestinationFileExtension |
The file extension of a file that is copied or moved |
String |
| DestinationFileName |
The name of the file that is copied or moved |
String |
| DestinationRelativeUrl |
The URL of the destination folder where a file is copied or moved |
String |
| DestMailboxId |
Set only if the CrossMailboxOperations parameter is True |
String |
| DestMailboxOwnerMasterAccountSid |
Set only if the CrossMailboxOperations parameter is True |
String |
| DestMailboxOwnerSid |
Set only if the CrossMailboxOperations parameter is True |
String |
| DestMailboxOwnerUPN |
Set only if the CrossMailboxOperations parameter is True |
String |
| EffectiveOrganization |
The name of the tenant that the elevation/cmdlet was targeted at |
String |
| ElevationApprovedTime |
The timestamp for when the elevation was approved |
DateTime |
| ElevationApprover |
The name of a Microsoft manager |
String |
| ElevationDuration |
The duration for which the elevation was active (in Hours) |
Int32 |
| ElevationRequestId |
A unique identifier for the elevation request |
String |
| ElevationRole |
The role the elevation was requested for |
String |
| ElevationTime |
The start time of the elevation |
DateTime |
| Event_Data |
Optional payload for custom events |
String |
| EventSource |
Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel |
String |
| ExtendedProperties |
The extended properties of the Azure AD event |
String |
| ExternalAccess |
Specifies whether the cmdlet was run by a user in your organization |
String |
| ExtraProperties |
A list of extra properties |
Object |
| Folder |
The folder where a group of items is located |
String |
| Folders |
Information about the source folders involved in an operation |
String |
| GenericInfo |
Used for comments and other generic information |
String |
| InternalLogonType |
Reserved for internal use |
Int32 |
| InterSystemsId |
The GUID that track the actions across components within the Office 365 service |
String |
| IntraSystemId |
The GUID that’s generated by Azure Active Directory to track the action |
String |
| IsManagedDevice |
Indicates if operation was created by a device managed by the organization |
Boolean |
| IssuedAtTime |
Issued At gets set if the Microsoft Entra token is available for the request and it indicates when the authentication for this Microsoft Entra token occurred. |
DateTime |
| Item |
Represents the item upon which the operation was performed |
String |
| ItemName |
The string in the Subject field of the email message |
String |
| ItemType |
The type of object that was accessed or modified. See the ItemType table for details on the types of objects |
String |
| LoginStatus |
This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms |
Int32 |
| Logon_Type |
Indicates the type of user who accessed the mailbox and performed the operation that was logged |
String |
| LogonUserDisplayName |
The user-friendly name of the user who performed the operation |
String |
| LogonUserSid |
The SID of the user who performed the operation |
String |
| MachineDomainInfo |
Information about device sync operations |
String |
| MachineId |
Information about device sync operations |
String |
| MailboxGuid |
The Exchange GUID of the mailbox that was accessed |
String |
| MailboxOwnerMasterAccountSid |
Mailbox owner account’s master account SID |
String |
| MailboxOwnerSid |
The SID of the mailbox owner |
String |
| MailboxOwnerUPN |
The email address of the person who owns the mailbox that was accessed |
String |
| Members |
A list of users within a Team |
Object |
| MessageId |
An identifier for a chat or channel message |
String |
| ModifiedObjectResolvedName |
This is the user friendly name of the object that was modified by the cmdlet |
String |
| ModifiedProperties |
The property is included for admin events, such as adding a user as a member of a site or a site collection admin group |
String |
| Name |
Only present for settings events. Name of the setting that changed |
String |
| NewValue |
Only present for settings events. New value of the setting |
String |
| OfficeId |
Unique identifier of an audit record |
String |
| OfficeObjectId |
For SharePoint and OneDrive for Business activity |
String |
| OfficeTenantId |
The office tenant id |
String |
| OfficeWorkload |
The Office 365 service where the activity occurred |
String |
| OldValue |
Only present for settings events. Old value of the setting |
String |
| Operation |
The name of the operation that the user is performing |
String |
| OperationProperties |
Additional operation properties |
Object |
| OperationScope |
The scope the operation was performed on |
String |
| OrganizationId |
The GUID for your organization’s Office 365 tenant. This value will always be the same for your organization |
String |
| OrganizationName |
The name of the tenant |
String |
| OriginatingServer |
The name of the server from which the cmdlet was executed |
String |
| Parameters |
The name and value for all parameters that were used with the cmdlet that is identified in the Operations property |
String |
| RecordType |
The type of operation indicated by the record. See the AuditLogRecordType table for details on the types of audit log records |
String |
| ResultReasonType |
Reason for the result reported in ResultType |
String |
| ResultStatus |
Indicates whether the action (specified in the Operation property) was successful or not |
String |
| SendAsUserMailboxGuid |
The Exchange GUID of the mailbox that was accessed to send email as |
String |
| SendAsUserSmtp |
SMTP address of the user who is being impersonated |
String |
| SendonBehalfOfUserMailboxGuid |
The Exchange GUID of the mailbox that was accessed to send mail on behalf of |
String |
| SendOnBehalfOfUserSmtp |
SMTP address of the user on whose behalf the email is sent |
String |
| SharingType |
The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter |
String |
| Site_ |
The GUID of the site where the file or folder accessed by the user is located |
String |
| Site_Url |
The URL of the site where the file or folder accessed by the user is located |
String |
| Source_Name |
The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel |
String |
| SourceFileExtension |
The file extension of the file that was accessed by the user |
String |
| SourceFileName |
The name of the file or folder accessed by the user |
String |
| SourceRecordId |
Unique identifier of an audit record |
String |
| SourceRelativeUrl |
The URL of the folder that contains the file accessed by the user |
String |
| SourceSystem |
The source system name |
String |
| SRPolicyId |
Policy ID |
String |
| SRPolicyName |
Policy name |
String |
| SRRuleMatchDetails |
Rule details |
Object |
| Start_Time |
The date and time at which the cmdlet was executed |
DateTime |
| SupportTicketId |
The customer support ticket ID for the action in ‘act-on-behalf-of’ situations |
String |
| TabType |
The type of tab that generated this event |
String |
| TargetContextId |
The GUID of the organization that the targeted user belongs to |
String |
| TargetUserId |
Target user id |
String |
| TargetUserOrGroupName |
Stores the UPN or name of the target user or group that a resource was shared with |
String |
| TargetUserOrGroupType |
Identifies whether the target user or group is a Member, Guest, Group, or Partner |
String |
| TeamGuid |
A unique identifier for the team being audited |
String |
| TeamName |
The name of the team being audited |
String |
| TenantId |
|
String |
| TimeGenerated |
The date and time in Coordinated Universal Time (UTC) when the user performed the activity |
DateTime |
| Type |
The name of the table |
String |
| UniqueTokenId |
UniqueTokenId gets set if the Microsoft Entra token is available for the request. It’s a unique, per-token identifier that is case-sensitive. |
String |
| UserAgent |
The user agent |
String |
| UserDomain |
The domain of the user |
String |
| UserId |
The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged |
String |
| UserKey |
An alternative ID for the user identified in the UserId property |
String |
| UserSharedWith |
The user that a resource was shared with |
String |
| UserType |
The type of user that performed the operation. See the UserType table for details on the types of users |
String |