Microsoft 365 Logs

Panther supports pulling logs directly from Microsoft 365

Overview

Panther can pull logs from Microsoft's Office 365 Management Activity API. Panther will query the API every 5 minutes.

How to onboard Microsoft 365 logs to Panther

The Microsoft 365 API allows for pulling logs up to seven days old. If your Microsoft 365 source in Panther becomes unauthorized for longer than seven days, once authorization is reestablished, data from the previous seven days will be backfilled.

Prerequisite

  • Enable audit logging for your Microsoft 365 tenancy through the Security and Compliance Center in the Office 365 Admin Portal.

Step 1: Registering an application in Azure AD

  1. Click App Registrations in the left sidebar and then click New Registration.

  2. Enter a memorable name for your application. In the Supported account types field, select Accounts in this organizational directory only.

  3. Click Register.

  4. On the left sidebar, click Certificates and Secrets. Then click New Client Secret.

    • Add a description for the secret (e.g Panther integration).

    • Set the Expires field to 24 Months.

  5. Click Add.

    • The Client Secret will be hidden after you navigate away from this page, so copy down the Value field (not Secret ID field) before continuing.

  6. On the left sidebar, click API Permissions and then Add a permission. Find and click the Office 365 Management APIs.

  7. Click Application permissions and select all permissions: ActivityFeed.Read, ActivityFeed.ReadDlp, ServiceHealth.Read.

  8. Click Add permissions at the bottom.

    • Make sure to add both Delegated and Application permissions in the previous two steps.

Step 2: Create a new Microsoft Source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Microsoft 365," then click its tile.

  4. On the slide-out panel, click Start Setup.

  5. On the next screen, enter a descriptive name for the source e.g., My Microsoft 365 logs and select the log types to ingest.

  6. Click Setup.

  7. On the Credentials page, enter values for the following fields:

    • Client ID

    • Tenant ID

    • Client Secret

  8. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

After the integration is created, it may take up to 12 hours for the Microsoft API to make data available for the first time.

Supported log types

Microsoft365.Audit.AzureActiveDirectory

Azure Active Directory audit events.

Reference: Microsoft Documentation on Management Activity API Schemas.

schema: Microsoft365.Audit.AzureActiveDirectory
parser:
    native:
        name: Microsoft365.Audit.AzureActiveDirectory
description: Azure Active Directory audit events.
referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
fields:
    - name: Id
      required: true
      description: Unique identifier of an audit record.
      type: string
    - name: RecordType
      required: true
      description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records.
      type: int
    - name: CreationTime
      required: true
      description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
      type: timestamp
      timeFormat: layout=2006-01-02T15:04:05
      isEventTime: true
    - name: Operation
      required: true
      description: The name of the user or admin activity.
      type: string
    - name: OrganizationId
      required: true
      description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
      type: string
    - name: UserType
      required: true
      description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users.
      type: int
    - name: UserKey
      description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
      type: string
      indicators:
        - username
    - name: Workload
      description: The Office 365 service where the activity occurred.
      type: string
    - name: ResultStatus
      description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
      type: string
    - name: ObjectId
      description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
      type: string
    - name: UserId
      required: true
      description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.
      type: string
      indicators:
        - username
    - name: ClientIP
      description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
      type: string
      indicators:
        - ip
    - name: Scope
      description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365.
      type: string
    - name: AppAccessContext
      description: The application context for the user or service principal that performed the action.
      type: object
      fields:
        - name: AADSessionId
          description: The Azure Active Directory (AAD) SessionId of the AAD sign-in that was performed by the app on behalf of the user.
          type: string
        - name: APIId
          description: The Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
          type: string
        - name: ClientAppId
          description: The Id of the AAD app that performed the access on behalf of the user.
          type: string
        - name: ClientAppName
          description: The name of the AAD app that performed the access on behalf of the user.
          type: string
        - name: CorrelationId
          description: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
          type: string
          indicators:
            - trace_id
    - name: AzureActiveDirectoryEventType
      required: true
      description: The type of Azure AD event.
      type: int
    - name: ExtendedProperties
      description: The extended properties of the Azure AD event.
      type: array
      element:
        type: object
        fields:
            - name: Name
              description: Name field
              type: string
            - name: Value
              description: Value field
              type: string
    - name: ModifiedProperties
      description: This property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified property.
      type: array
      element:
        type: json
    - name: Application
      description: The application that triggers the account login event, such as Office 15.
      type: string
    - name: Client
      description: Details about the client device, device OS, and device browser that was used for the of the account login event.
      type: string
    - name: LoginStatus
      description: This property is from OrgIdLogon.LoginStatus directly. The mapping of various interesting logon failures could be done by alerting algorithms.
      type: int
    - name: UserDomain
      description: The Tenant Identity Information (TII).
      type: string
    - name: Actor
      description: The user or service principal that performed the action.
      type: array
      element:
        type: object
        fields:
            - name: ID
              description: The value of the identity given the type.
              type: string
              indicators:
                - username
            - name: Type
              description: The type of the identity.
              type: int
    - name: ActorContextId
      description: The GUID of the organization that the actor belongs to.
      type: string
    - name: ActorIpAddress
      description: The actor's IP address in IPV4 or IPV6 address format.
      type: string
      indicators:
        - ip
    - name: InterSystemsId
      description: The GUID that track the actions across components within the Office 365 service.
      type: string
    - name: IntraSystemId
      description: The GUID that's generated by Azure Active Directory to track the action.
      type: string
    - name: SupportTicketId
      description: The customer support ticket ID for the action in "act-on-behalf-of" situations.
      type: string
    - name: Target
      description: The user that the action (identified by the Operation property) was performed on.
      type: array
      element:
        type: object
        fields:
            - name: ID
              description: The value of the identity given the type.
              type: string
              indicators:
                - username
            - name: Type
              description: The type of the identity.
              type: int
    - name: TargetContextId
      description: The GUID of the organization that the targeted user belongs to.
      type: string
    - name: ApplicationId
      description: The GUID that represents the application that is requesting the login. The display name can be looked up via the Azure Active Directory Graph API.
      type: string
    - name: ErrorCode
      description: For failed logins (where the value for the Operation property is UserLoginFailed), this property contains the Azure Active Directory STS (AADSTS) error code. A value of 0 indicates a successful login.
      type: string
    - name: LogonError
      description: For failed logins, this property contains a user-readable description of the reason for the failed login.
      type: string

Microsoft365.Audit.Exchange

Microsoft Exchange audit events.

Reference: Microsoft Documentation on Management Activity API Schemas.

schema: Microsoft365.Audit.Exchange
parser:
    native:
        name: Microsoft365.Audit.Exchange
description: Microsoft Exchange audit events.
referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
fields:
    - name: Id
      required: true
      description: Unique identifier of an audit record.
      type: string
    - name: RecordType
      required: true
      description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records.
      type: int
    - name: CreationTime
      required: true
      description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
      type: timestamp
      timeFormat: layout=2006-01-02T15:04:05
      isEventTime: true
    - name: Operation
      required: true
      description: The name of the user or admin activity.
      type: string
    - name: OrganizationId
      required: true
      description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
      type: string
    - name: UserType
      required: true
      description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users.
      type: int
    - name: UserKey
      description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
      type: string
      indicators:
        - username
    - name: Workload
      description: The Office 365 service where the activity occurred.
      type: string
    - name: ResultStatus
      description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
      type: string
    - name: ObjectId
      description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
      type: string
    - name: UserId
      required: true
      description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.
      type: string
      indicators:
        - username
    - name: ClientIP
      description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
      type: string
      indicators:
        - ip
    - name: Scope
      description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365.
      type: string
    - name: AppAccessContext
      description: The application context for the user or service principal that performed the action.
      type: object
      fields:
        - name: AADSessionId
          description: The Azure Active Directory (AAD) SessionId of the AAD sign-in that was performed by the app on behalf of the user.
          type: string
        - name: APIId
          description: The Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
          type: string
        - name: ClientAppId
          description: The Id of the AAD app that performed the access on behalf of the user.
          type: string
        - name: ClientAppName
          description: The name of the AAD app that performed the access on behalf of the user.
          type: string
        - name: CorrelationId
          description: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
          type: string
          indicators:
            - trace_id
    - name: ModifiedObjectResolvedName
      description: This is the user friendly name of the object that was modified by the cmdlet. This is logged only if the cmdlet modifies the object.
      type: string
    - name: Parameters
      description: The name and value for all parameters that were used with the cmdlet that is identified in the Operations property.
      type: array
      element:
        type: object
        fields:
            - name: Name
              description: Name field
              type: string
            - name: Value
              description: Value field
              type: string
    - name: ModifiedProperties
      description: The property is included for admin events. The property includes the name of the property that was modified, the new value of the modified property, and the previous value of the modified object.
      type: array
      element:
        type: json
    - name: ExternalAccess
      required: true
      description: Specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.
      type: boolean
    - name: OriginatingServer
      description: The name of the server from which the cmdlet was executed.
      type: string
    - name: OrganizationName
      description: The name of the tenant.
      type: string
      indicators:
        - username
    - name: LogonType
      description: Indicates the type of user who accessed the mailbox and performed the operation that was logged.
      type: int
    - name: InternalLogonType
      description: Reserved for internal use.
      type: int
    - name: MailboxGuid
      description: The Exchange GUID of the mailbox that was accessed.
      type: string
    - name: MailboxOwnerUPN
      description: The email address of the person who owns the mailbox that was accessed.
      type: string
      indicators:
        - username
    - name: MailboxOwnerSid
      description: The SID of the mailbox owner.
      type: string
      indicators:
        - username
    - name: MailboxOwnerMasterAccountSid
      description: Mailbox owner account's master account SID.
      type: string
      indicators:
        - username
    - name: LogonUserSid
      description: The SID of the user who performed the operation.
      type: string
      indicators:
        - username
    - name: LogonUserDisplayName
      description: The user-friendly name of the user who performed the operation.
      type: string
    - name: ClientInfoString
      description: Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.
      type: string
    - name: ClientIPAddress
      description: The IP address of the device that was used when the operation was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
      type: string
      indicators:
        - ip
    - name: ClientMachineName
      description: The machine name that hosts the Outlook client.
      type: string
      indicators:
        - hostname
    - name: ClientProcessName
      description: The email client that was used to access the mailbox.
      type: string
    - name: ClientVersion
      description: The version of the email client.
      type: string
    - name: Folder
      description: The folder where a group of items is located.
      type: object
      fields:
        - name: Id
          description: The store ID of the folder object.
          type: string
        - name: Path
          description: The name of the mailbox folder where the message that was accessed is located.
          type: string
        - name: FolderItems
          description: FolderItems field
          type: json
    - name: CrossMailboxOperations
      description: Indicates if the operation involved more than one mailbox.
      type: boolean
    - name: DestMailboxId
      description: Set only if the CrossMailboxOperations parameter is True. Specifies the target mailbox GUID.
      type: string
    - name: DestMailboxOwnerUPN
      description: Set only if the CrossMailboxOperations parameter is True. Specifies the UPN of the owner of the target mailbox.
      type: string
    - name: DestMailboxOwnerSid
      description: Set only if the CrossMailboxOperations parameter is True. Specifies the SID of the target mailbox.
      type: string
    - name: DestMailboxOwnerMasterAccountSid
      description: Set only if the CrossMailboxOperations parameter is True. Specifies the SID for the master account SID of the target mailbox owner.
      type: string
      indicators:
        - username
    - name: DestFolder
      description: The destination folder, for operations such as Move.
      type: object
      fields:
        - name: Id
          description: The store ID of the folder object.
          type: string
        - name: Path
          description: The name of the mailbox folder where the message that was accessed is located.
          type: string
        - name: FolderItems
          description: FolderItems field
          type: json
    - name: Folders
      description: Information about the source folders involved in an operation; for example, if folders are selected and then deleted.
      type: array
      element:
        type: object
        fields:
            - name: Id
              description: The store ID of the folder object.
              type: string
            - name: Path
              description: The name of the mailbox folder where the message that was accessed is located.
              type: string
            - name: FolderItems
              description: FolderItems field
              type: json
    - name: AffectedItems
      description: Information about each item in the group.
      type: array
      element:
        type: object
        fields:
            - name: Id
              description: The store ID.
              type: string
            - name: Subject
              description: The subject line of the message that was accessed.
              type: string
            - name: ParentFolder
              description: The name of the folder where the item is located.
              type: object
              fields:
                - name: Id
                  description: The store ID of the folder object.
                  type: string
                - name: Path
                  description: The name of the mailbox folder where the message that was accessed is located.
                  type: string
                - name: FolderItems
                  description: FolderItems field
                  type: json
            - name: Attachments
              description: A list of the names and file size of all items that are attached to the message.
              type: string
    - name: Item
      description: Represents the item upon which the operation was performed.
      type: object
      fields:
        - name: Id
          description: The store ID.
          type: string
        - name: Subject
          description: The subject line of the message that was accessed.
          type: string
        - name: ParentFolder
          description: The name of the folder where the item is located.
          type: object
          fields:
            - name: Id
              description: The store ID of the folder object.
              type: string
            - name: Path
              description: The name of the mailbox folder where the message that was accessed is located.
              type: string
            - name: FolderItems
              description: FolderItems field
              type: json
        - name: Attachments
          description: A list of the names and file size of all items that are attached to the message.
          type: string
    - name: SendAsUserSmtp
      description: SMTP address of the user who is being impersonated.
      type: string
      indicators:
        - hostname
    - name: SendAsUserMailboxGuid
      description: The Exchange GUID of the mailbox that was accessed to send email as.
      type: string
    - name: SendOnBehalfOfUserSmtp
      description: SMTP address of the user on whose behalf the email is sent.
      type: string
      indicators:
        - hostname
    - name: SendOnBehalfOfUserMailboxGuid
      description: The Exchange GUID of the mailbox that was accessed to send mail on behalf of.
      type: strin

Microsoft365.Audit.General

General audit events from Office 365 services that are not included in the other log types. This can include, for example, Microsoft Teams logs.

Reference: Microsoft Documentation on Management Activity API Schemas.

schema: Microsoft365.Audit.General
parser:
    native:
        name: Microsoft365.Audit.General
description: General audit events not included in the other log types.
referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
fields:
    - name: Id
      required: true
      description: Unique identifier of an audit record.
      type: string
    - name: RecordType
      required: true
      description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records.
      type: int
    - name: CreationTime
      required: true
      description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
      type: timestamp
      timeFormat: layout=2006-01-02T15:04:05
      isEventTime: true
    - name: Operation
      required: true
      description: The name of the user or admin activity.
      type: string
    - name: OrganizationId
      required: true
      description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
      type: string
    - name: UserType
      required: true
      description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users.
      type: int
    - name: UserKey
      description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
      type: string
      indicators:
        - username
    - name: Workload
      description: The Office 365 service where the activity occurred.
      type: string
    - name: ResultStatus
      description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
      type: string
    - name: ObjectId
      description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
      type: string
    - name: UserId
      required: true
      description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.
      type: string
      indicators:
        - username
    - name: ClientIP
      description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
      type: string
      indicators:
        - ip
    - name: Scope
      description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365.
      type: string
    - name: AppAccessContext
      description: The application context for the user or service principal that performed the action.
      type: object
      fields:
        - name: AADSessionId
          description: The Azure Active Directory (AAD) SessionId of the AAD sign-in that was performed by the app on behalf of the user.
          type: string
        - name: APIId
          description: The Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
          type: string
        - name: ClientAppId
          description: The Id of the AAD app that performed the access on behalf of the user.
          type: string
        - name: ClientAppName
          description: The name of the AAD app that performed the access on behalf of the user.
          type: string
        - name: CorrelationId
          description: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
          type: string
          indicators:
            - trace_id
    - name: payload
      description: The full JSON payload of the event.
      type: json

Microsoft365.Audit.SharePoint

Microsoft SharePoint audit events.

Reference: Microsoft Documentation on Management Activity API Schemas.

schema: Microsoft365.Audit.SharePoint
parser:
    native:
        name: Microsoft365.Audit.SharePoint
description: Microsoft SharePoint audit events.
referenceURL: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
fields:
    - name: Id
      required: true
      description: Unique identifier of an audit record.
      type: string
    - name: RecordType
      required: true
      description: The type of operation indicated by the record. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype for details on the types of audit log records.
      type: int
    - name: CreationTime
      required: true
      description: The date and time in Coordinated Universal Time (UTC) when the user performed the activity.
      type: timestamp
      timeFormat: layout=2006-01-02T15:04:05
      isEventTime: true
    - name: Operation
      required: true
      description: The name of the user or admin activity.
      type: string
    - name: OrganizationId
      required: true
      description: The GUID for your organization's Office 365 tenant. This value will always be the same for your organization, regardless of the Office 365 service in which it occurs.
      type: string
    - name: UserType
      required: true
      description: The type of user that performed the operation. See https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#user-type for details on the types of users.
      type: int
    - name: UserKey
      description: An alternative ID for the user identified in the UserId property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange. This property may also specify the same value as the UserID property for events occurring in other services and events performed by system accounts.
      type: string
      indicators:
        - username
    - name: Workload
      description: The Office 365 service where the activity occurred.
      type: string
    - name: ResultStatus
      description: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed. For Exchange admin activity, the value is either True or False.
      type: string
    - name: ObjectId
      description: For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet.
      type: string
    - name: UserId
      required: true
      description: The UPN (User Principal Name) of the user who performed the action (specified in the Operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included. In SharePoint, another value display in the UserId property is app@sharepoint. This indicates that the "user" who performed the activity was an application that has the necessary permissions in SharePoint to perform organization-wide actions (such as search a SharePoint site or OneDrive account) on behalf of a user, admin, or service.
      type: string
      indicators:
        - username
    - name: ClientIP
      description: The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. Also, for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
      type: string
      indicators:
        - ip
    - name: Scope
      description: Was this event created by a hosted M365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to M365.
      type: string
    - name: AppAccessContext
      description: The application context for the user or service principal that performed the action.
      type: object
      fields:
        - name: AADSessionId
          description: The Azure Active Directory (AAD) SessionId of the AAD sign-in that was performed by the app on behalf of the user.
          type: string
        - name: APIId
          description: The Id for the API pathway that is used to access the resource; for example access via the Microsoft Graph API.
          type: string
        - name: ClientAppId
          description: The Id of the AAD app that performed the access on behalf of the user.
          type: string
        - name: ClientAppName
          description: The name of the AAD app that performed the access on behalf of the user.
          type: string
        - name: CorrelationId
          description: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
          type: string
          indicators:
            - trace_id
    - name: Site
      description: The GUID of the site where the file or folder accessed by the user is located.
      type: string
    - name: ItemType
      description: The type of object that was accessed or modified.
      type: string
    - name: EventSource
      description: Identifies that an event occurred in SharePoint. Possible values are SharePoint or ObjectModel.
      type: string
    - name: SourceName
      description: The entity that triggered the audited operation. Possible values are SharePoint or ObjectModel.
      type: string
    - name: UserAgent
      description: Information about the user's client or browser. This information is provided by the client or browser.
      type: string
    - name: MachineDomainInfo
      description: Information about device sync operations. This information is reported only if it's present in the request.
      type: string
    - name: MachineId
      description: Information about device sync operations. This information is reported only if it's present in the request.
      type: string
    - name: SiteUrl
      description: The URL of the site where the file or folder accessed by the user is located.
      type: string
      indicators:
        - url