Microsoft 365
Microsoft 365 Unified Audit is Microsoft's consolidated log source covering Exchange Online, SharePoint, Teams and Entra ID.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (255)
| Field | Type |
|---|---|
o365.AffectedItems.InternetMessageId RFC 2822 Message-ID of the affected email item. | string [] |
o365.AffectedItems.ParentFolder.Path Server-relative path of the folder that contains the affected item. | string [] |
o365.AffectedItems.Id Exchange ItemId (unique identifier) of the affected item. | string [] |
o365.AffectedItems.ParentFolder.Id Unique identifier of the parent folder. | string [] |
o365.AffectedItems.Subject Subject line of the affected email or item. | text_general [] |
o365.Teams.ExtraProperties.Key Name of an additional property captured for a Teams event. | string [] |
o365.Teams.ExtraProperties.Value Value corresponding to the Teams extra-property key. | string [] |
o365.Teams.ParticipantInfo.ParticipatingSIPDomains.TenantId Tenant GUID for each SIP domain represented in the session. | string [] |
o365.Teams.ParticipantInfo.ParticipatingDomains List of email or SIP domains that participated in the meeting or chat. | string [] |
o365.Teams.ParticipantInfo.ParticipatingSIPDomains.DomainName Fully-qualified SIP domain name of a participant tenant. | string [] |
o365.All.UserTypeName Text label for the actor's user-type (Member, Guest, Admin, etc.). | string [] |
o365.MailboxGuid Exchange GUID of the mailbox where the operation occurred. | string |
o365.SharePoint.ListServerTemplate Numeric ID of the SharePoint list template. | plong |
o365.AD.ErrorNumber Numeric error code returned by Microsoft Entra ID. | plong |
o365.ClientVersion Version string of the client app that initiated the action. | string |
o365.AD.Version Schema or API version of the Entra ID audit record. | plong |
o365.Folder.Id Unique identifier of a folder on which the action was taken. | string |
o365.Item.ParentFolder.Id Identifier of the folder containing the item affected by the action. | string |
o365.OriginatingServer Server that generated or routed the operation (text form). | text_general |
o365.AppId GUID of the Azure AD application that performed the action. | string |
o365.CrossMailboxOperation Boolean indicating that the action involved more than one mailbox. | boolean |
o365.Item.ParentFolder.Name Display name of the folder that contains the item. | string |
o365.SharePoint.IsManagedDevice True if the request came from an Intune-managed device. | boolean |
o365.Teams.ResourceTenantId Tenant GUID that hosts the resource in a cross-tenant scenario. | string |
o365.Item.SizeInBytes Size of the item (message or file) in bytes. | plong |
o365.LogonUserSid Security identifier (SID) of the logged-on user. | string |
o365.ContactEmail1EmailAddress Primary email address stored in a contact item. | string |
o365.SharePoint.Platform SharePoint client platform (Web, Mobile, etc.). | string |
o365.Item.Id Unique identifier of the item on which the operation occurred. | string |
o365.Item.ParentFolder.Path Folder path of the item's parent folder. | string |
o365.TenantID GUID of the Microsoft 365 tenant where the event occurred. | string |
o365.SharePoint.ClientID ID of the OAuth client that made the SharePoint request. | string |
o365.LogonType Numeric code representing the logon method (OWA, EWS, MAPI, etc.). | plong |
o365.SharePoint.Version Version number associated with the SharePoint item or API. | plong |
o365.SharePoint.CorrelationId Correlation GUID used to trace the SharePoint request. | string |
o365.AD.ClientID Client ID of the Azure AD application that performed the action. | string |
o365.ClientRequestId Client-supplied identifier that tags the request. | string |
o365.SessionId Session identifier assigned by the service. | string |
o365.Item.ParentFolder.MemberUpn UPN of the user who has membership on the parent folder. | string |
o365.SharePoint.AuthenticationType Type of authentication used in the SharePoint request. | string |
o365.InternalLogonType Numeric code indicating whether the logon was interactive, delegated, etc. | plong |
o365.SharePoint.DoNotDistributeEvent True if the event should not be distributed to downstream listeners. | boolean |
o365.ContactEmail1DisplayName Display name for the primary contact email address. | text_general |
o365.DestFolder.Path Destination folder path when an item is moved or copied. | string |
o365.ClientIPAddress IP address of the client device that performed the action. | string |
o365.Item.ParentFolder.MemberSid Security identifier (SID) of the folder member. | string |
o365.AD.IntraSystemId Internal system identifier used inside Microsoft Entra ID. | string |
o365.AD.TenantID Tenant GUID recorded by Entra ID for the event. | string |
o365.Item.Subject Subject line of the item affected by the action. | text_general |
o365.MailboxOwnerUPN UPN of the mailbox owner. | string |
o365.ExternalAccess True if the action was performed by an external or guest user. | boolean |
o365.SharePoint.HighPriorityMediaProcessing Indicates high-priority media processing in SharePoint. | boolean |
o365.SharePoint.AppAccessContext.TokenIssuedAtTime Time when the Azure AD token was issued for the app. | pdate |
o365.SharePoint.TenantID Tenant GUID recorded in the SharePoint workload. | string |
o365.OrganizationName Friendly name of the tenant organization. | string |
o365.Teams.MessageVersion Numeric version of the Teams message payload. | plong |
o365.DestFolder.Id Identifier of the destination folder for a move/copy action. | string |
o365.ClientProcessName Executable or process name of the client application. | string |
o365.SharePoint.DeviceDisplayName Display name of the device involved in the SharePoint request. | string |
o365.SharePoint.WebId GUID that identifies the SharePoint site (web). | string |
o365.Teams.TenantID Tenant GUID associated with the Teams event. | string |
o365.ClientID Client ID recorded by the service (often same as AppId). | string |
o365.Folder.Path Full path of the folder affected by the action. | string |
o365.Version Schema version of the audit event. | plong |
o365.MailboxOwnerSid SID of the mailbox owner. | string |
o365.Item.InternetMessageId Message-ID of the email item on which the operation was performed. | string |
o365.Teams.ClientID Client ID associated specifically with Teams events. | string |
o365.ClientInfoString Raw client info string (user-agent-like) captured by the service. | text_general |
o365.ClientAppId AppId of the client application that called the service. | string |
o365.ModifiedProperties Array of property names modified by the operation. | string [] |
o365.Item.IsRecord True if the SharePoint/Exchange item is a declared record. | boolean |
o365.SharePoint.ListItemUniqueId GUID that uniquely identifies the list item. | string |
o365.SharePoint.ListId GUID of the SharePoint list. | string |
o365.SharePoint.ApplicationId ID of the app performing the SharePoint operation. | string |
o365.SharePoint.ApplicationDisplayName Display name of the app performing the SharePoint operation. | text_general |
o365.SharePoint.IsWorkflow True if a SharePoint workflow triggered the event. | boolean |
o365.SharePoint.ListTitle Title of the SharePoint list. | text_general |
o365.SharePoint.ListName Internal name of the SharePoint list. | text_general |
o365.SharePoint.ListUrl URL of the SharePoint list. | text_general |
o365.SharePoint.ListBaseType Base type of the SharePoint list (GenericList, DocumentLibrary, etc.). | text_general |
o365.SharePoint.ListBaseTemplateType Template type the list was created from. | text_general |
o365.SharePoint.IsHiddenList True if the list is hidden from UI. | boolean |
o365.SharePoint.IsDocLib True if the list is a document library. | boolean |
o365.SharePoint.TargetUserOrGroupName Name of the user or group targeted by the operation. | text_general |
o365.SharePoint.TargetUserOrGroupType Type of the target principal (User, Group, etc.). | text_general |
o365.SharePoint.EventData Raw event-specific data captured by SharePoint. | text_general |
o365.SharePoint.ModifiedProperties.Name Names of individual SharePoint properties modified. | text_general [] |
o365.SharePoint.ModifiedProperties.NewValue New values of the modified SharePoint properties. | text_general [] |
o365.SharePoint.ModifiedProperties.OldValue Previous values of the modified SharePoint properties. | text_general [] |
o365.SharePoint.Site GUID of the SharePoint site where the action occurred. | text_general |
o365.SharePoint.ItemType Type of object accessed or modified (file, folder, site, etc.). | text_general |
o365.SharePoint.EventSource Indicates whether the event originated from SharePoint or Object Model. | text_general |
o365.SharePoint.SourceName Entity that triggered the operation (SharePoint, ObjectModel). | text_general |
o365.SharePoint.UserAgent User-agent string captured by SharePoint. | text_general |
o365.SharePoint.MachineDomainInfo Device domain information related to sync operations. | text_general |
o365.SharePoint.MachineId Device identifier captured by SharePoint sync. | string |
o365.SharePoint.SiteUrl Full URL of the SharePoint site. | text_general |
o365.SharePoint.SourceRelativeUrl Source folder/file URL relative to the site root. | text_general |
o365.SharePoint.SourceFileName Name of the source file involved in the operation. | text_general |
o365.SharePoint.SourceFileExtension Extension of the source file involved in the operation. | text_general |
o365.SharePoint.DestinationRelativeUrl Destination-relative URL recorded by SharePoint when a file or folder is moved or copied. | text_general |
o365.SharePoint.DestinationFileName Name of the destination file created by a move/copy operation in SharePoint. | text_general |
o365.SharePoint.DestinationFileExtension File-name extension of the destination file created by a move/copy action. | text_general |
o365.SharePoint.UserSharedWith User names or email addresses that the SharePoint item was shared with. | text_general |
o365.SharePoint.SharingType Indicates the SharePoint sharing action (Direct, Link, Anonymous, etc.). | text_general |
o365.SharePoint.FileSizeBytes Size of the SharePoint file after the operation, in bytes. | plong |
o365.SharePoint.FileSyncBytesCommitted Number of bytes committed during a SharePoint sync session. | plong |
o365.Teams.MessageId Unique identifier of the Microsoft Teams message involved in the event. | string |
o365.Teams.MeetupId Identifier of the Teams meeting (Meetup) where the event occurred. | string |
o365.Teams.Members.UPN User Principal Names (UPNs) of the participants affected by the Teams event. | string [] |
o365.Teams.Members.Role Numeric role code for each Teams participant (Owner, Member, Guest). | plong [] |
o365.Teams.Members.DisplayName Display names of the Teams participants. | text_general [] |
o365.Teams.TeamName Display name of the Microsoft Teams team. | string |
o365.Teams.TeamGuid GUID of the Microsoft Teams team. | string |
o365.Teams.ChannelName Display name of the channel where the event occurred. | string |
o365.Teams.ChannelGuid GUID of the Teams channel. | string |
o365.Teams.AADGroupId Azure AD group ID backing the Teams team. | string |
o365.Teams.Id Unique identifier of the Teams workload object referenced in the event. | string |
o365.Teams.ChannelType Type of channel (Standard, Private, Shared). | text_general |
o365.Teams.ChatName Name of the group chat (when the event is chat-scoped). | text_general |
o365.Teams.ParentMessageId MessageId of the parent message in a reply thread. | string |
o365.Teams.SizeInBytes Size in bytes of the Teams object affected by the event. | plong |
o365.Teams.Version Version number recorded for the Teams object. | string |
o365.Teams.CommunicationType Type of Teams communication (Chat, Channel, Meeting). | text_general |
o365.Teams.ItemName Name of the Teams item (file, tab, etc.) referenced by the event. | text_general |
o365.Teams.ChatThreadId Thread identifier of a Teams chat conversation. | string |
o365.Teams.ParticipantInfo.HasForeignTenantUsers Indicates whether foreign-tenant users participated in the session. | boolean |
o365.Teams.ParticipantInfo.HasGuestUsers True if guest users took part in the Teams event. | boolean |
o365.Teams.ParticipantInfo.HasOtherGuestUsers True if external guests from other tenants joined the session. | boolean |
o365.Teams.ParticipantInfo.HasUnauthenticatedUsers True when anonymous (unauthenticated) users were present. | boolean |
o365.Teams.ParticipantInfo.ParticipatingTenantIds Tenant GUIDs of all organisations represented in the session. | string [] |
o365.Exchange.Folder.Id Unique identifier of the Exchange folder on which the action was taken. | string |
o365.Exchange.Folder.Path Path of the Exchange folder. | text_general |
o365.Exchange.CrossMailboxOperations True if the operation involved more than one mailbox. | boolean |
o365.Exchange.DestMailboxId Unique identifier of the destination mailbox. | string |
o365.Exchange.DestMailboxOwnerUPN UPN of the destination mailbox owner. | text_general |
o365.Exchange.DestMailboxOwnerSid SID of the destination mailbox owner. | string |
o365.Exchange.DestMailboxOwnerMasterAccountSid Master-account SID of the destination mailbox owner. | string |
o365.Exchange.DestFolder.Id Identifier of the destination folder for an Exchange move/copy operation. | string |
o365.Exchange.DestFolder.Path Path of the destination folder for an Exchange move/copy operation. | text_general |
o365.Exchange.Folders.Id Identifiers of all folders affected by the operation. | string [] |
o365.Exchange.Folders.Path Paths of all folders affected by the operation. | text_general [] |
o365.Exchange.AffectedItems.Id Identifiers of the Exchange items affected by the operation. | string [] |
o365.Exchange.AffectedItems.Subject Subject lines of the items affected by the operation. | text_general [] |
o365.Exchange.AffectedItems.ParentFolder.Id Identifiers of parent folders containing the affected items. | string [] |
o365.Exchange.AffectedItems.ParentFolder.Path Paths of parent folders containing the affected items. | text_general [] |
o365.Exchange.AffectedItems.Attachments Attachment list associated with the affected items. | text_general [] |
o365.Exchange.Item.Id Unique identifier of the Exchange item on which the action occurred. | string |
o365.Exchange.Item.Subject Subject line of the Exchange item. | text_general |
o365.Exchange.Item.ParentFolder.Id Identifier of the parent folder that contains the item. | string |
o365.Exchange.Item.ParentFolder.Path Path of the parent folder that contains the item. | text_general |
o365.Exchange.Item.Attachments Attachments associated with the Exchange item. | text_general |
o365.Exchange.ModifiedProperties Array of properties modified by the Exchange operation. | string [] |
o365.Exchange.SendAsUserSmtp SMTP address of the user on whose behalf the message was sent (SendAs). | text_general |
o365.Exchange.SendAsUserMailboxGuid GUID of the mailbox from which the message was sent (SendAs). | string |
o365.Exchange.SendOnBehalfOfUserSmtp SMTP address used for Send-On-Behalf-Of operations. | text_general |
o365.Exchange.SendOnBehalfOfUserMailboxGuid Mailbox GUID for Send-On-Behalf-Of operations. | string |
o365.Exchange.LogonType Numeric code representing the logon method for the Exchange event. | plong |
o365.Exchange.InternalLogonType Numeric code indicating whether the logon was internal, delegated, etc. | plong |
o365.Exchange.MailboxGuid GUID of the Exchange mailbox where the event occurred. | string |
o365.Exchange.MailboxOwnerUPN UPN of the mailbox owner. | text_general |
o365.Exchange.MailboxOwnerSid SID of the mailbox owner. | string |
o365.Exchange.MailboxOwnerMasterAccountSid Master-account SID of the mailbox owner. | string |
o365.Exchange.LogonUserSid SID of the user who logged on to perform the action. | string |
o365.Exchange.LogonUserDisplayName Display name of the user who logged on. | text_general |
o365.Exchange.ExternalAccess True if the action was performed by an external or guest user. | boolean |
o365.Exchange.OriginatingServer Server that generated or routed the Exchange operation. | text_general |
o365.Exchange.OrganizationName Friendly name of the tenant organization. | text_general |
o365.Exchange.ClientInfoString Client-info string (user-agent-like) captured by Exchange. | text_general |
o365.Exchange.ClientIPAddress IP address of the client device that performed the Exchange action. | text_general |
o365.Exchange.ClientMachineName Machine name of the client device recorded by Exchange. | text_general |
o365.Exchange.ClientProcessName Process name of the client application recorded by Exchange. | text_general |
o365.Exchange.ClientVersion Version string of the client application recorded by Exchange. | string |
o365.All.AppAccessContext.AADSessionId Azure AD session ID captured in the common app-access context. | string |
o365.All.AppAccessContext.APIId API ID recorded in the common app-access context. | string |
o365.All.AppAccessContext.ClientAppId Client-application ID recorded in the common app-access context. | string |
o365.All.AppAccessContext.ClientAppName Display name of the client application in the common app-access context. | string |
o365.All.AppAccessContext.CorrelationId Correlation ID captured in the common app-access context. | string |
o365.All.AppAccessContext.UniqueTokenId Unique token ID recorded in the common app-access context. | string |
o365.All.AppAccessContext.IssuedAtTime Timestamp when the app-access token was issued. | pdate |
o365.All.Id Unique identifier of the audit-log record. | string |
o365.All.RecordType Numeric code representing the workload record type. | plong |
o365.All.RecordName Friendly name of the record type. | text_general |
o365.All.CreationTime Timestamp when the audit record was created. | pdate |
o365.All.Operation Name of the operation or action performed. | text_general |
o365.All.OrganizationId GUID of the tenant organization. | string |
o365.All.UserType Numeric user-type code (Member, Guest, etc.). | plong |
o365.All.UserKey Text key uniquely identifying the user in the workload. | text_general |
o365.All.Workload Name of the Microsoft 365 workload that generated the event. | text_general |
o365.All.ResultStatus Result (Success, Failure) returned by the operation. | text_general |
o365.All.ObjectId Identifier of the primary object the operation acted on. | string |
o365.All.UserId User ID string captured in the audit record. | text_general |
o365.All.ClientIP Client IP address recorded in the audit record. | text_general |
o365.All.Scope Scope of the audit event (Organization, Team, etc.). | text_general |
o365.Threat.DeliveryAction Email-delivery action taken (Delivered, Quarantined, Replaced, etc.). | text_general |
o365.Threat.OriginalDeliveryLocation Original mailbox/folder where the message was delivered. | text_general |
o365.Threat.LatestDeliveryLocation Current mailbox/folder location after any threat actions. | text_general |
o365.Threat.AttachmentDataFileName File name of the analysed attachment. | text_general |
o365.Threat.AttachmentDataFileType File type of the analysed attachment. | text_general |
o365.Threat.AttachmentDataFileVerdict Numeric verdict returned by threat analysis of the attachment. | plong |
o365.Threat.AttachmentDataMalwareFamily Malware family name identified in the attachment. | text_general |
o365.Threat.AttachmentDataSHA256 SHA-256 hash of the analysed attachment file. | string |
o365.Threat.DetectionType Detection technique that identified the threat (e.g. Malware, Phish, Spam). | text_general |
o365.Threat.DetectionMethod Specific analytic or engine that produced the detection. | text_general |
o365.Threat.InternetMessageId RFC 2822-style Internet Message-ID of the email being analysed. | string |
o365.Threat.NetworkMessageId Microsoft 365 internal network-message ID for the email. | string |
o365.Threat.P1Sender Purported responsible (P1) sender shown in the SMTP MAIL FROM. | text_general |
o365.Threat.P2Sender Display sender (P2) taken from the message headers. | text_general |
o365.Threat.Policy Name of the threat-protection policy that was matched. | text_general |
o365.Threat.PolicyAction Action configured in the matched policy (e.g. Quarantine, Delete). | text_general |
o365.Threat.Recipients Email addresses that were targeted by the message. | text_general [] |
o365.Threat.SenderIp IP address that actually submitted the message to Microsoft 365. | text_general |
o365.Threat.Subject Original subject line of the suspicious message. | text_general |
o365.Threat.Verdict Overall verdict assigned to the message (Malware, Phish, Clean, etc.). | text_general |
o365.Threat.MessageTime UTC timestamp when the message was originally sent. | pdate |
o365.Threat.EventDeepLink Portal deep-link that opens the threat-explorer view for this message. | string |
o365.Threat.Delivery Raw delivery action taken by the service (Delivered, Replaced, Dropped). | text_general |
o365.Threat.Original Original location of the message before threat processing. | text_general |
o365.Threat.Latest Current location of the message after threat processing. | text_general |
o365.Threat.Directionality Traffic direction (Inbound, Outbound, Intra-Org). | text_general |
o365.Threat.ThreatsAndDetectionTech Array of individual threat types and the tech that detected each one. | text_general [] |
o365.Threat.AdditionalActionsAndResults Any post-delivery actions (ZAP, Manual Remediation) and their results. | text_general [] |
o365.Threat.Connectors Transport connectors involved in routing the message. | text_general |
o365.Threat.AuthDetails.Name Names of authentication checks (SPF, DKIM, DMARC) run on the message. | text_general [] |
o365.Threat.AuthDetails.Value Pass/Fail results for each listed authentication check. | text_general [] |
o365.Threat.SystemOverrides.Details Details of any security administrator override that changed the verdict. | text_general |
o365.Threat.SystemOverrides.FinalOverride Final override action applied (Allow, Block). | text_general |
o365.Threat.SystemOverrides.Result Resultant verdict after the override was applied. | text_general |
o365.Threat.SystemOverrides.Source Source that triggered the override (Admin, System). | text_general |
o365.Threat.PhishConfidenceLevel Numeric confidence level assigned to a phishing verdict. | text_general |
o365.AD.LogonError Error string returned by Azure AD during a failed logon. | text_general |
o365.AD.ErrorCode Error code associated with the Azure AD logon error. | text_general |
o365.AD.Actor.ID IDs of actors (users/apps) that initiated the AD operation. | string [] |
o365.AD.Actor.Type Numeric type code of each actor (User, Application, ServicePrincipal). | plong [] |
o365.AD.ActorContextId Tenant or resource context ID in which the actor was operating. | string |
o365.AD.ActorIpAddress IP address recorded for the actor. | text_general |
o365.AD.Target.ID IDs of Azure AD target objects that were changed. | string [] |
o365.AD.Target.Type Numeric type codes of the target objects. | plong [] |
o365.AD.InterSystemsId Identifier linking related objects across Microsoft back-end systems. | string |
o365.AD.IntraSystemsId Identifier linking related objects within the same system. | string |
o365.AD.SupportTicketId Support-ticket ID recorded when an admin change is part of a support case. | string |
o365.AD.TargetContextId Context ID for the tenant/resource of the target objects. | string |
o365.AD.ApplicationId Application ID that executed the Azure AD action. | string |
o365.AD.Client Display name or identifier of the client app recorded by Azure AD. | text_general |
o365.AD.DeviceProperties.Name Names of device-property keys attached to the sign-in event. | text_general [] |
o365.AD.DeviceProperties.Value Values of the corresponding device-property keys. | text_general [] |
o365.AD.ExtendedProperties.Name Names of extended property keys captured by Azure AD. | text_general [] |
o365.AD.ExtendedProperties.Value Values of the corresponding extended property keys. | text_general [] |
o365.AD.ModifiedProperties.Name Names of properties that were modified in the Azure AD operation. | text_general [] |
o365.AD.ModifiedProperties.NewValue New (post-change) values for each modified property. | text_general [] |
o365.AD.ModifiedProperties.OldValue Original values for each modified property. | text_general [] |
o365.AD.AzureActiveDirectoryEventType Numeric event-type code for the Azure AD audit entry. | plong |
o365.AD.Application Friendly name of the application involved in the Azure AD event. | text_general |
o365.AD.LoginStatus Numeric login-status code (Success, Failure). | plong |
o365.AD.UserDomain DNS domain part of the user's UPN in the Azure AD event. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.