circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Office365 Log Reference

Normalized log messages contain indexed key/value pairs for faster searching. Vendor Field mapping tables show which vendor log fields map to which Logpoint fields. Mapping depends on the normalizer used.

Vendor Fields
Logpoint Fields

actorObjectClass

actor_object_class

actorObjectId

actor_object_id

additionalDetails

additional_information

auditEventCategory

audit_event_category

correlationId

correlation_id

env_appId

application_id

env_appVer

application_version

env_cloud_deploymentUnit

cloud_deployment_unit

env_cloud_environment

could_environment

evn_cloud_name

cloud

env_cloud_role

cloud_role

env_cloud_roleInstance

cloud_role_instance

evn_could_roleVer

cloud_role_version

env_flags

flag

env_osVer

os_version

env_os

os

env_popSample

pop_sample

env_seqNum

sequence_number

env_time

env_ts

env_ver

env_version

extendedAuditEventcategory

extended_audit_event_category

ModifiedProperties

event_properties

resultType

result_type

targetIncludedUpdatedProperties

target_included_updated_properties

targetObjectId

target_object_id

targetPUID

target_puid

targetUPN

target_upn

teamName

team

FileSyncBytesCommitted

file_sync_bytes_committed

MachineId

machine_id

OperationDetails

operation_details

ClientApplicationId

client_application_id

EntityPath

path

alert_name

alert

AlertLinks

alert_link

EventData

event_data

ClientType

client_type

ApplicationDisplayName

application_display_name

ListBaseType

list_base_type

ListTitle

list_title

ListBaseTemplateType

list_base_template_type

OperationDetails

details

ResourceTitle

title

ResourceUrl

url

object_name

object

TeamGuid

team_guid

ChannelName

channel

ChannelGuid

channel_guid

ExtraProperties

description

TabType

tab_type

ClientInfoString

client_information

ExternalAccess

external_access

ItemId

item_id

ItemIsRecord

item_is_record

MailboxOwnerMasterAccountSid

mailbox_owner_master_account_sid

ItemInternetMessageDd

item_internet_message_id

copyRoleAssignments

copy_role_assignments

UniqueSharingId

unique_sharing_id

ImplicitShare

implicit_share

ClassificationInfo

classification_information

actorappId

actor_application_id

actorContextId

actor_context_id

actorUPN

actor_upn

destinationfilename

destination_file

actorpuid

actor_puid

role_wellknownobjectname

role

role_displayname

role_name

role_objectid

role_object_id

role_templateid

role_template_id

SharePointMetaDataFileSize

file_size

SharePointMetaDataFrom

sender

SharePointMetaDataSiteCollectionUrl

site_url

PolicyDetailsPolicyName

policy

PolicyDetailsRulesActionParameters

action_parameter

PolicyDetailsRulesConditionsMatchedCondition MatchedInNewScheme

matched_in_new_scheme

PolicyDetailsRulesConditionsMatchedSensitive InformationConfidence

sensative_info_confidence

PolicyDetailsRulesConditionsMatchedSensitive InformationCount

sensative_info_count

PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveInformationDetections ResultsTruncated

sensitive_info_result_truncated

PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveInformationTypeName

sensative_info_type_id

PolicyDetailsRulesConditionsMatchedSensitive InformationSensitiveType

sensative_info_type

hashtag
Labels

Labels are key-value pairs assigned to log fields after parsing, used to categorize, enrich, and structure logs for easier search, correlation, and visualization. Labels also normalize vendor-specific logs to make them searchable in a unified way.

Logpoint applies labels via:

  • Label Packages

  • Normalization Signatures

  • Labeling Rules

Labels are applied according to the Office 365 application. Find relevant labels for each application below.

hashtag
Azure Active Directory (examples)

ACTION
LABELS

Update group

Update, Group, Account, Management

Change user license

User, License, Change, Account, Management

Change user Password

Change, User, Password, Account, Management

Reset user password

User, Password, Reset, Account, Management

UserLoggedIn

User, Login, Successful

Add user

Add, User, Account, Management

Add group

Add, Group, Account, Management

UserLoginFailed

User, Login, Fail

Hard Delete application

Delete, Application

Delete group

Delete, Group, Account, Management

Add owner to group

Add, Owner, Group, Account, Management

Update user

Update, User, Account, Management

Delete user

Delete, User, Account, Management

Add member to group

Add, Member, Group, Account, Management, User

Add service principal

Account, Management, Add, Principal, Service

Update service principal

Update, Service, Principal, Application, Management

Set Company Information

Set, Company, Information, Directory, Management

Update device

Update, Device

Add app role assignment grant to user

Add, Application, Role, User

Consent to application

Application, Consent

Update StsRefreshTokenValidFrom Timestamp

Update, Time

Remove OAuth3PermissionGrant

Remove, Permission

Add OAuth3PermissionGrant

Add, Permission

Update application

Update, Application

Add registered owner to device

Add, User, Device, Account, Management

Add app role assignment to service principal

Add, Application, Role, Service, Principal

Add device

Add, Device

Add registered users to device

Add, User, Device, Account, Management

Remove member from group

Remove, Member, Group, Account, Management, User

Add owner to application

Add, User, Application, Management

Add application

Add, Application, Management

Update company

Update, Company

Add member to a role

Add, Member, Role, Account, Management, User

hashtag
SharePoint (examples)

ACTION
LABELS

Added To Group

Group, Management

Site Collection Created

Site, Collection, Create

File Previewed

File, View

File CheckedIn

File, Check

Folder Created

Folder, Create

File Modified Extended

File, Modify

Site Collection Admin Removed

Admin, Remove

File Sync Downloaded Full

File, Download

Folder Deleted

Folder, Delete

File Accessed

File, Access

File Deleted

File, Delete

Group Updated

Group, Update

File Checked Out

File, Check

Page Viewed

Page, View

File Sync Uploaded Full

File, Sync, Upload, Full

File Accessed Extended

File, Access, Extend

File Downloaded

File, Download

Site Collection Admin Added

Admin, Add

File Uploaded

File, Upload

File Modified

File, Modify

File Moved

File, Move

Folder Modified

Folder, Modify

Folder Renamed

Folder, Rename

File Renamed

File, Rename

Secure Link Used

Secure, Link, Use

List Column Created

List, Column, Create

List Item Created

List, Create, Item

List Created

List, Create

Company Link Created

Company, Link, Create

List Column Updated

List, Column, Update

WAC Token Shared

Token, Share

Secure Link Created

Secure, Link, Create

Added To Secure Link

Add, Secure, Link

Folder Moved

Folder, Move

List Item Updated

List, Item, Update

List Updated

List, Update

Search Query Performed

Search, Query, Perform

hashtag
OneDrive (examples)

ACTION
LABELS

Sharing Inheritance Broken

Share, Inheritance, Broken

Folder Created

Folder, Create

File Modified Extended

File, Extend, Modify

File Uploaded

File, Upload

File Accessed

File, Access

Site Collection Admin Added

Admin, Add

Folder Modified

Folder, Modify

Site Collection Admin Removed

Admin, Remove

Anonymous Link Created

Anonymous, Link, Create

File Sync Downloaded Full

File, Download

Folder Deleted

Folder, Delete

Sharing Set

Share, Set

File Renamed

File, Rename

File Deleted

File, Delete

Page Viewed

Page, View

Group Added

Add, Group

File SyncUp loaded Full

File, Sync, Upload, Full

Added To Group

Add, Group

File Accessed Extended

File, Access, Extend

File Modified

File, Modify

File Moved

File, Move

File Downloaded

File, Download

Page Viewed Extended

Page, View, Extend

Anonymous Link Used

Anonymous, Link, Use

Company Link Created

Company, Link, Create

Permission Level Added

Permission, Level, Add

Company Link Used

Company, Link, Use

List Column Created

List, Column, Create

WAC Token Shared

Token, Share

List Created

List, Create

Anonymous Link Updated

Anonymous, Link, Update

File Copied

File, Copy

Folder Moved

Folder, Move

Site Deleted

Site, Delete

List Updated

List, Update

Site Column Created

Site, Column, Create

List Column Updated

List, Column, Update

DLPRuleMatch

Data, Loss, Prevention, Rule, Match

hashtag
Exchange (examples)

ACTION
LABELS

Install-Data Classification Config

Install, Data, Classification, Configuration

Set-User

Set, User

Set-Mailbox

Set, Mailbox

Install-Resource Config

Install, Resource, Configuration

Remove-Mailbox Location

Remove, Mailbox, Location

Set-Unified Group

Set, Unify, Group

Create

Create

New-Mailbox Relocation Request

New, Mail, Relocation, Request

Install-AdminAuditLogConfig

Install, Admin, Auditlog, Configuration

Set-AdminAuditLogConfig

Set, Admin, Auditlog, Configuration

Add-MailboxPermission

Add, Mailbox, Permission

Set-ExchangeAssistanceConfig

Set, Assistance, Configuration

Remove-UnifiedGroup

Remove, Group

Install-DefaultSharingPolicy

Install, Default, Share, Policy

Set-OwaMailboxPolicy

Set, Mailbox, Policy

SoftDelete

Soft, Delete

Set-MailUser

Set, Mail, User

ModifyFolderPermissions

Modify, Folder, Permission

SendAs

Send

HardDelete

Hard, Delete

FolderBind

Folder, Bind

New-Mailbox

New, Mailbox

Add-Recipient Permission

Add, Receiver, Permission

Set-Recipient Enforcement ProvisioningPolicy

Set, Recipient, Enforcement, Provision, Policy

Set-Tenant Object Version

Set, Tenant, Object, Version

Set-Organization Config

Set, Organization, Configuration

Remove Folder Permissions

Remove, Folder, Permission

New-AntiPhish Policy

New, Policy

New-Exchange Assistance Config

New, Assistance, Configuration

New-App

New, Application

Enable-AddressListPaging

Enable, Paging

Set-AntiPhish Policy

Set, Add, Policy

Set-AntiPhish Rule

Set, Add, Rule

Set-Transport Config

Set, Add, Transport, Configuration

hashtag
Microsoft Teams (examples)

ACTION
LABELS

Tab Added

Tab, Add

Channel Deleted

Channel, Delete

Channel Added

Channel, Add

Member Removed

Member, Remove, User, Account, Management

Teams Session Started

Team, Session, Start

Team Created

Team, Create

Tab Updated

Tab, Update

Tab Removed

Tab, Remove

Member Added

Member, Add, User, Account, Management

Connector Added

Connector, Add

hashtag
Skype For Business (examples)

ACTION
LABELS

Get-CsTeams Client Configuration

Get, Client, Configuration

Set-CsTenant Federation Configuration

Set, Federation, Configuration

Get-CsTenant Licensing Configuration

Get, License, Configuration

Get-CsTeams UpgradePolicy

Policy, Change, Update

Get-CsOnline User

Get, Online, User

Set-CsOnline DirectoryTenant

Set, Online, Directory, Tenant

Get-CsTeams Messaging Policy

Get, Message, Policy

Get-CsTenant

Get, Tenant

Get-CsTeams Upgrade Configuration

Get, Update, Configuration

hashtag
Security Compliance Center

Action labels:

ACTION
LABELS

File Downloaded

File, Download

Alert Triggered

Alert, Trigger

File Deleted

File, Delete

File Uploaded

File, Upload

File Copied

File, Copy

File Accessed

File, Access

Category labels:

CATEGORY
LABELS

DataGovernance

Security, Compliance, Alert, Data, Governance

ThreatManagement

Security, Compliance, Alert, Threat, Management

MailFlow

Security, Compliance, Alert, Mail, Flow

Permissions

Security, Compliance, Alert, Permission

DataLossPrevention

Security, Compliance, Alert, Data, Loss, Prevention

AccessGovernance

Security, Compliance, Alert, Access, Governance

Others

Security, Compliance, Alert, Other

Last updated

Was this helpful?