☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • Purview Audit Log Schema Overview
  • Audit Log Schema
  • UserType and UserKey scenarios
  1. Azure Logging References
  2. Logging

Purview Audit Log Schema

Purview Audit Log Schema Overview

The following link below provides the appropriate schema for events that are logged within the Microsoft Purview portal or from the Microsoft Purview compliance portal.

Audit Log Schema

Property

Description

Microsoft service that has this property

Actor

The user or service account that performed the action.

Azure Active Directory

AddOnName

The name of an add-on that was added, removed, or updated in a team. The type of add-ons in Microsoft Teams is a bot, a connector, or a tab.

Microsoft Teams

AddOnType

The type of an add-on that was added, removed, or updated in a team. The following values indicate the type of add-on. 1 - Indicates a bot. 2 - Indicates a connector. 3 - Indicates a tab.

Microsoft Teams

AppAccessContext

The application context for the user or service principal that performed the action.

Microsoft Teams

ArtifactShared

Files or content shared by the user.

Microsoft Teams

AzureActiveDirectoryEventType

The type of Azure Active Directory activity. The following values indicate the type of activity. 0 - Indicates an account sign-in activity. 1 - Indicates an Azure application security activity.

Azure Active Directory

ChannelGuid

The ID of a Microsoft Teams channel. The team that the channel is located in is identified by the TeamName and TeamGuid properties.

Microsoft Teams

ChannelName

The name of a Microsoft Teams channel. The team that the channel is located in is identified by the TeamName and TeamGuid properties.

Microsoft Teams

Client

The client device, the device OS, and the device browser used for the sign-in activity (for example, Nokia Lumia 920; Windows Phone 8; IE Mobile 11).

Azure Active Directory

ClientInfoString

Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information

Exchange (mailbox activity)

ClientIP

The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for admin activity (or activity performed by a system account) for Azure Active Directory-related activities, the IP address isn't logged and the value for the ClientIP property is null.

Azure Active Directory, Exchange, SharePoint

CreationTime

The date and time in Coordinated Universal Time (UTC) when the audit log record is generated.

All

CurrentProtectionType

A complex property type containing fields to describe the current protection status of a document. Includes the following: ProtectionType: Enumerates the type of protection applied to the document. These values and their meanings apply: 0 (no protection), 1 (template-based protection), 2 (don't forward, for email), 3 (encrypt only), and 4 (custom, user configured protection) Owner: The email address of the user that configured protection. TemplateId: When the ProtectionType is set to 1 (template), this field contains the GUID of the template applied to the document. When the value of ProtectionType doesn't equal 1, this field is blank. DocumentEncrypted: Boolean flag indicating if any type of encryption is applied to the document. Values are True or False.

All

DestinationFileExtension

The file extension of a file that is copied or moved. This property is displayed only for the FileCopied and FileMoved user activities.

SharePoint

DestinationFileName

The name of the file is copied or moved. This property is displayed only for the FileCopied and FileMoved actions.

SharePoint

DestinationRelativeUrl

The URL of the destination folder where a file is copied or moved. The combination of the values for the SiteURL, the DestinationRelativeURL, and the DestinationFileName property is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for the FileCopied and FileMoved user activities.

SharePoint

EventSource

Identifies that an activity occurred in SharePoint. Possible values are SharePoint and ObjectModel.

SharePoint

ExternalAccess

For Exchange admin activity, specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator. For Exchange mailbox activity, specifies whether a mailbox was accessed by a user outside your organization.

Exchange

ExtendedProperties

The extended properties for an Azure Active Directory activity.

Azure Active Directory

ID

The ID of the report entry. The ID uniquely identifies the report entry.

All

InternalLogonType

Reserved for internal use.

Exchange (mailbox activity)

ItemType

The type of object that was accessed or modified. Possible values include File, Folder, Web, Site, Tenant, and DocumentLibrary.

SharePoint

IsJoinedFromLobby

Whether or not the user joined a Teams session from the lobby.

Microsoft Teams

LoginStatus

Identifies sign-in failures that might have occurred.

Azure Active Directory

LogonType

The type of mailbox access. The following values indicate the type of user who accessed the mailbox. 0 - Indicates a mailbox owner. 1 - Indicates an administrator. 2 - Indicates a delegate. 3 - Indicates the transport service in the Microsoft datacenter. 4 - Indicates a service account in the Microsoft datacenter. 6 - Indicates a delegated administrator.

Exchange (mailbox activity)

MailboxGuid

The Exchange GUID of the mailbox that was accessed.

Exchange (mailbox activity)

MailboxOwnerUPN

The email address of the person who owns the mailbox that was accessed.

Exchange (mailbox activity)

Members

Lists the users that have been added or removed from a team. The following values indicate the Role type assigned to the user. 1 - Indicates the Owner role. 2 - Indicates the Member role. 3 - Indicates the Guest role. The Members property also includes the name of your organization, and the member's email address.

Microsoft Teams

ModifiedProperties (Name, NewValue, OldValue)

The property is included for admin activities, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group) the new value of the modified property (such the user who was added as a site admin, and the previous value of the modified object).

All (admin activity)

ObjectFullyQualifiedName

The fully qualified name for an entity.

Microsoft Purview (governance)

ObjectId

For Exchange admin audit logging, the name of the object that was modified by the cmdlet. For SharePoint activity, the full URL path name of the file or folder accessed by a user. For Azure AD activity, the name of the user account that was modified.

All

ObjectName

The main entity name.

Microsoft Purview (governance)

ObjectType

The entity type.

Microsoft Purview (governance)

OldValue

The value before a change, includes all properties updated or deleted.

Microsoft Purview (governance)

Operation

All

OrganizationId

The GUID for your organization.

All

NewValue

The value after a change, includes all properties updated or deleted.

Microsoft Purview (governance)

Path

The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder a where a message is created in or copied/moved to.

Exchange (mailbox activity)

Parameters

For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

Exchange (admin activity)

ParticipantInfo

Additional properties about the participant identity.

Microsoft Teams

ParticipatingDomainInformation

Domain information about the participant.

Microsoft Teams

PreviousProtectionType

A complex property type containing fields to describe the previous protection status of a document. Includes the following: ProtectionType: Enumerates the type of protection applied to the document. These values and their meanings apply: 0 (no protection), 1 (template-based protection), 2 (don't forward, for email), 3 (encrypt only), and 4 (custom, user configured protection) Owner: The email address of the user that configured protection. TemplateId: When the ProtectionType is set to 1 (template), this field contains the GUID of the template applied to the document. When the value of ProtectionType doesn't equal 1, this field is blank. DocumentEncrypted: Boolean flag indicating if any type of encryption is applied to the document. Values are True or False.

All

ProtectionEventType

Enumerates how the protection was changed by the operation being audited. The following values and meanings apply: 0 - Indicates unchanged. 1 - Indicates added. 2 - Indicates changed. 3 - Indicates removed.

All

RecordType

ResultStatus

Indicates whether the action (specified in the Operation property) was successful or not. For Exchange admin activity, the value is either True (successful) or False (failed).

All

SecurityComplianceCenterEventType

Indicates that the activity was a Microsoft Purview portal activity. All Microsoft Purview portal activities have a value of 0 for this property.

Microsoft Purview portal

SensitivityLabel

The sensitivity label assigned to a specific mail item.

Exchange

SharingType

The type of sharing permissions that was assigned to the user that the resource was shared with. This user is identified in the UserSharedWith property.

SharePoint

Site

The GUID of the site where the file or folder accessed by the user is located.

SharePoint

SiteUrl

The URL of the site where the file or folder accessed by the user is located.

SharePoint

SourceFileExtension

The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.

SharePoint

SourceFileName

The name of the file or folder accessed by the user.

SharePoint

SourceRelativeUrl

The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, the SourceRelativeURL, and the SourceFileName property is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.

SharePoint

Subject

The subject line of the message that was accessed.

Exchange (mailbox activity)

TabType

The type of tab added, removed, or updated in a team. The possible values for this property are: Excel pin - An Excel tab. Extension - All first-party and third-party apps; such as Class Schedule, VSTS, and Forms. Notes - OneNote tab. Pdfpin - A PDF tab. Powerbi - A Power BI tab. Powerpointpin - A PowerPoint tab. Sharepointfiles - A SharePoint tab. Webpage - A pinned website tab. Wiki-tab - A wiki tab. Wordpin - A Word tab.

Microsoft Teams

Target

The user that the action (identified in the Operation property) was performed on. For example, if a guest is added to SharePoint or a Microsoft Team, that user would be listed in this property.

Azure Active Directory

TeamGuid

The ID of a team in Microsoft Teams.

Microsoft Teams

TeamName

The name of a team in Microsoft Teams.

Microsoft Teams

UserAgent

Information about the user's browser. This information is provided by the browser.

SharePoint

UserDomain

Identity information about the tenant organization of the user (actor) who performed the action.

Azure Active Directory

UserId

All

UserKey

All

UserType

All

Version

Indicates the version number of the activity (identified by the Operation property) that's logged.

All

Workload

The Microsoft 365 service where the activity occurred.

All

UserType and UserKey scenarios

The following table provides details for UserType and UserKey scenarios:

Value
UserType member name
Description
UserKey

0

Regular

A regular user without admin permissions.

Microsoft Entra Object ID in GUID format

2

Admin

An administrator in your Microsoft 365 organization.1

Microsoft Entra Object ID in GUID format

3

DCAdmin

A Microsoft datacenter administrator or datacenter system account.

Microsoft Entra Object ID in GUID format

4

System

An audit event triggered by server-side logic. For example, Windows services or background processes.

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

5

Application

An audit event triggered by a Microsoft Entra application.

Microsoft Entra Application Name or Application ID (when available). Otherwise, an empty string.

6

ServicePrincipal

A service principal.

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

7

CustomPolicy

A customer created or managed policy.

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

8

SystemPolicy

A Microsoft-managed or system policy.

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

9

PartnerTechnician

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

10

Guest

A guest or anonymous user.

Guid.Empty.ToString() (or the value '00000000-0000-0000-0000-000000000000').

Last updated 2 months ago

The name of the user or admin activity. The value of this property corresponds to the value that was selected in the Activities drop down list. If Show results for all activities was selected, the report will included entries for all user and admin activities for all services. For a description of the operations/activities that are logged in the audit log, see the Audited activities tab in . For Exchange admin activity, this property identifies the name of the cmdlet that was run.

The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in. For a list of record types and their corresponding ENUM value (which is the value displayed in the RecordType property in an audit record), see .

The user who performed the action (specified in the Operation property) that resulted in the record being logged. Audit records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included in the audit log. Another common value for the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service. For more information, see: or .

Contains a valid Azure Active Directory Object ID in GUID format or hex format. For scenarios where the primary actor isn't a user, the UserKey is an empty string. See for details on various UserKey scenarios.

The type of user that performed the operation. See the for details on various UserType scenarios.

A partner tenant's user working on behalf of the customer tenant (in scenarios).

Search the audit log in the Office 365
Audit log record type
The app@sharepoint user in audit records
System accounts in Exchange mailbox audit records
UserType and UserKey scenarios
UserType and UserKey scenarios
GDAP
Detailed activity properties in the audit logMicrosoftLearn
Logo