Intune

Audit Log Properties

Property	Property description	Values
ActivityType	The action that the admin takes.	Create, Delete, Patch, Action, SetReference, RemoveReference, Get, Search
ActorType	Person taking the action.	Unknown = 0, ItPro, IW, System, Partner, Application, GuestUser
Category	The pane where the action took place.	Other = 0, Enrollment = 1, Compliance = 2, DeviceConfiguration = 3, Device = 4, Application = 5, EBookManagement = 6, ConditionalAccess= 7, OnPremiseAccess= 8, Role = 9, SoftwareUpdates =10, DeviceSetupConfiguration = 11, DeviceIntent = 12, DeviceIntentSetting = 13, DeviceSecurity = 14, GroupPolicyAnalytics = 15, AssignmentFilter = 16, RemoteHelp = 17, OrganizationalMessage = 18, EndpointPrivilegeMgmt = 19, DeviceInventory = 20
ActivityResult	Whether the action is successful or not	Success = 1

Property

Property description

Values

ActivityType

The action that the admin takes.

Create, Delete, Patch, Action, SetReference, RemoveReference, Get, Search

ActorType

Person taking the action.

Unknown = 0, ItPro, IW, System, Partner, Application, GuestUser

Category

The pane where the action took place.

Other = 0, Enrollment = 1, Compliance = 2, DeviceConfiguration = 3, Device = 4, Application = 5, EBookManagement = 6, ConditionalAccess= 7, OnPremiseAccess= 8, Role = 9, SoftwareUpdates =10, DeviceSetupConfiguration = 11, DeviceIntent = 12, DeviceIntentSetting = 13, DeviceSecurity = 14, GroupPolicyAnalytics = 15, AssignmentFilter = 16, RemoteHelp = 17, OrganizationalMessage = 18, EndpointPrivilegeMgmt = 19, DeviceInventory = 20

ActivityResult

Whether the action is successful or not

Success = 1

Permissions to access logs:

Table name Description

Table name	Description
AADSignInEventsBeta	Microsoft Entra interactive and non-interactive sign-ins
AADSpnSignInEventsBeta	Microsoft Entra service principal and managed identity sign-ins
AlertEvidence	Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfo	Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization
BehaviorEntities	Behavior data types in Microsoft Defender for Cloud Apps
BehaviorInfo	Alerts from Microsoft Defender for Cloud Apps
CloudAppEvents	Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEvents	Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection
DeviceFileCertificateInfo	Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEvents	File creation, modification, and other file system events
DeviceImageLoadEvents	DLL loading events
DeviceInfo	Machine information, including OS information
DeviceLogonEvents	Sign-ins and other authentication events on devices
DeviceNetworkEvents	Network connection and related events
DeviceNetworkInfo	Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEvents	Process creation and related events
DeviceRegistryEvents	Creation and modification of registry entries
DeviceTvmHardwareFirmware	Hardware and firmware information of devices as checked by Defender Vulnerability Management
DeviceTvmInfoGathering	Defender Vulnerability Management assessment events including configuration and attack surface area states
DeviceTvmInfoGatheringKB	Metadata for assessment events collected in the `DeviceTvmInfogathering` table
DeviceTvmSecureConfigurationAssessment	Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices
DeviceTvmSecureConfigurationAssessmentKB	Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmSoftwareEvidenceBeta	Evidence info about where a specific software was detected on a device
DeviceTvmSoftwareInventory	Inventory of software installed on devices, including their version information and end-of-support status
DeviceTvmSoftwareVulnerabilities	Software vulnerabilities found on devices and the list of available security updates that address each vulnerability
DeviceTvmSoftwareVulnerabilitiesKB	Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
EmailAttachmentInfo	Information about files attached to emails
EmailEvents	Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEvents	Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox
EmailUrlInfo	Information about URLs on emails
ExposureGraphEdges	Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph
ExposureGraphNodes	Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties
IdentityDirectoryEvents	Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
IdentityInfo	Account information from various sources, including Microsoft Entra ID
IdentityLogonEvents	Authentication events on Active Directory and Microsoft online services
IdentityQueryEvents	Queries for Active Directory objects, such as users, groups, devices, and domains
UrlClickEvents	Safe Links clicks from email messages, Teams, and Office 365 apps

AADSignInEventsBeta

Microsoft Entra interactive and non-interactive sign-ins

AADSpnSignInEventsBeta

Microsoft Entra service principal and managed identity sign-ins

AlertEvidence

Files, IP addresses, URLs, users, or devices associated with alerts

AlertInfo

Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization

BehaviorEntities

Behavior data types in Microsoft Defender for Cloud Apps

BehaviorInfo

Alerts from Microsoft Defender for Cloud Apps

CloudAppEvents

Events involving accounts and objects in Office 365 and other cloud apps and services

DeviceEvents

Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection

DeviceFileCertificateInfo

Certificate information of signed files obtained from certificate verification events on endpoints

DeviceFileEvents

File creation, modification, and other file system events

DeviceImageLoadEvents

DLL loading events

DeviceInfo

Machine information, including OS information

DeviceLogonEvents

Sign-ins and other authentication events on devices

DeviceNetworkEvents

Network connection and related events

DeviceNetworkInfo

Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains

DeviceProcessEvents

Process creation and related events

DeviceRegistryEvents

Creation and modification of registry entries

DeviceTvmHardwareFirmware

Hardware and firmware information of devices as checked by Defender Vulnerability Management

DeviceTvmInfoGathering

Defender Vulnerability Management assessment events including configuration and attack surface area states

DeviceTvmInfoGatheringKB

Metadata for assessment events collected in the DeviceTvmInfogathering table

DeviceTvmSecureConfigurationAssessment

Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices

DeviceTvmSecureConfigurationAssessmentKB

Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

DeviceTvmSoftwareEvidenceBeta

Evidence info about where a specific software was detected on a device

DeviceTvmSoftwareInventory

Inventory of software installed on devices, including their version information and end-of-support status

DeviceTvmSoftwareVulnerabilities

Software vulnerabilities found on devices and the list of available security updates that address each vulnerability

DeviceTvmSoftwareVulnerabilitiesKB

Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available

EmailAttachmentInfo

Information about files attached to emails

EmailEvents

Microsoft 365 email events, including email delivery and blocking events

EmailPostDeliveryEvents

Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox

EmailUrlInfo

Information about URLs on emails

ExposureGraphEdges

Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph

ExposureGraphNodes

Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties

IdentityDirectoryEvents

Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.

IdentityInfo

Account information from various sources, including Microsoft Entra ID

IdentityLogonEvents

Authentication events on Active Directory and Microsoft online services

IdentityQueryEvents

Queries for Active Directory objects, such as users, groups, devices, and domains

UrlClickEvents

Safe Links clicks from email messages, Teams, and Office 365 apps

Last updated 1 month ago