Detailed properties in the Office 365 audit log

When you export the results of an audit log search from the Office 365 Security & Compliance Center, you have the option to download all the results that meet your search criteria. You do this by selecting Export results > Download all results on the Audit log search page in the Security & Compliance Center. For more information, see Search the audit log in the Office 365 Protection Center.

When your export all results for an audit log search, the raw data from the Office 365 unified audit log is copied to a comma separated value (CSV) file this is downloaded to your local computer. This file contains additional information from the audit log entry in a column named Detail. This column contains a multi-value property for multiple properties from the audit log record. Each of the property:value pairs in this multi-value property are separated by a comma.

The following table describes the properties that are included—depending on the Office 365 service in which an event occurs—in the multi-property Detail column. The Office 365 service that has this property    column indicates the service and type of activity (user or admin) that includes the property. For more detailed information about these properties or about properties that might not be listed in this topic, see Office 365 Management Activity API Schema.

Tip: You can use the Power Query in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. To learn how to do this, see the "Split a column by delimiter" section in Split a column of text (Power Query).

Property

Description

Office 365 service that has this property

Actor

The user or service account that performed the action.

Azure Active Directory

AzureActiveDirectoryEventType

The type of Azure Active Directory event. The following values indicate the type of event.

0      Indicates an account login event.

1      Indicates an Azure application security event.

Azure Active Directory

Client

The client device, the device OS, and the device browser used for the login event (for example, Nokia Lumnia 920; Windows Phone 8; IE Mobile 11).

Azure Active Directory

ClientInfoString

Information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information

Exchange (mailbox activity)

ClientIP

The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

Exchange and Azure Active Directory

ClientIPAddress

Same as ClientIP.

SharePoint

CreationTime

The date and time in Coordinated Universal Time (UTC) when the user performed the activity.

All

DestinationFileExtension

The file extension of a file that is copied or moved. This property is displayed only for the FileCopied and FileMoved user activities.

SharePoint

DestinationFileName

The name of the file is copied or moved. This property is displayed only for the FileCopied and FileMoved actions.

SharePoint

DestinationRelativeUrl

The URL of the destination folder where a file is copied or moved. The combination of the values for the SiteURL, the DestinationRelativeURL, and the DestinationFileName properties is the same as the value for the ObjectID property, which is the full path name for the file that was copied. This property is displayed only for the FileCopied and FileMoved user activities.

SharePoint

EventSource

Identifies that an event occurred in SharePoint. Possible values are SharePoint and ObjectModel.

SharePoint

ExternalAccess

For Exchange admin activity, specifies whether the cmdlet was run by a user in your organization, by Microsoft datacenter personnel or a datacenter service account, or by a delegated administrator. The value False indicates that the cmdlet was run by someone in your organization. The value True indicates that the cmdlet was run by datacenter personnel, a datacenter service account, or a delegated administrator.

For Exchange mailbox activity, specifies whether a mailbox was accessed by a user outside your organization.

Exchange

ExtendedProperties

The extended properties for an the Azure Active Directory event.

Azure Active Directory

ID

The ID of the report entry. The ID uniquely identifies the report entry.

All

InternalLogonType

Reserved for internal use.

Exchange (mailbox activity)

ItemType

The type of object that was accessed or modified. Possible values include File, Folder, Web, Site, Tenant, and DocumentLibrary.

SharePoint

LoginStatus

Identifies login failures that might have occurred.

Azure Active Directory

LogonType

The type of mailbox access. The following values indicate the type of user who accessed the mailbox.

0      Indicates a mailbox owner.

1      Indicates an administrator.

2      Indicates a delegate.

3      Indicates the transport service in the Microsoft datacenter.

4      Indicates a service account in the Microsoft datacenter.

6      Indicates a delegated administrator.

Exchange (mailbox activity)

MailboxGuid

The Exchange GUID of the mailbox that was accessed.

Exchange (mailbox activity)

MailboxOwnerUPN

The email address of the person who owns the mailbox that was accessed.

Exchange (mailbox activity)

ModifiedProperties (Name, NewValue, OldValue)

The property is included for admin events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group) the new value of the modified property (such the user who was added as a site admin, and the previous value of the modified object.

All (admin activity)

ObjectID

For Exchange admin audit logging, the name of the object that was modified by the cmdlet.

For SharePoint activity, the full URL path name of the file or folder accessed by a user.

For Azure AD activity, the name of the user account that was modified.

All

Operation

The name of the user or admin activity. The value of this property corresponds to the value that was selected in the Activities drop down list. If Show results for all activities was selected, the report will included entries for all user and admin activities for all services. For a description of the operations/activities that are logged in the Office 365 audit log, see Audited activities in Office 365.

For Exchange admin activity, this property identifies the name of the cmdlet that was run.

All

OrganizationID

The GUID for your Office 365 organization.

All

Path

The name of the mailbox folder where the message that was accessed is located. This property also identifies the folder a where a message is created in or copied/moved to.

Exchange (mailbox activity)

Parameters

For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

Exchange (admin activity)

RecordType

The type of operation indicated by the record. The following values indicate the record type.

1      Indicates a record from the Exchange admin audit log.

2      Indicates a record from the Exchange mailbox audit log for an operation performed on a singled mailbox item.

3      Also indicates a record from the Exchange mailbox audit log. This record type indicates the operation was performed on multiple items in the source mailbox (such as moving multiple items to the Deleted Items folder or permanently deleting multiple items).

4      Indicates a site admin operation in SharePoint, such as an administrator or user assigning permissions to a site.

6      Indicates a file or folder-related operation in SharePoint, such as a user viewing or modifying a file.

8      Indicates an admin operation performed in Azure Active Directory.

9      Indicates OrgId logon events in Azure Active Directory. This record type is being deprecated.

10      Indicates security cmdlet events that were performed by Microsoft personnel in the data center.

11      Indicates Data loss protection (DLP) events in SharePoint.

12      Indicates Sway events.

14      Indicates sharing events in SharePoint.

15      Indicates Secure Token Service (STS) logon events in Azure Active Directory.

18      Indicates Security & Compliance Center events.

20      Indicates Power BI events.

22      Indicates Yammer events.

All

ResultStatus

Indicates whether the action (specified in the Operation property) was successful or not.

For Exchange admin activity, the value is either True (successful) or False (failed).

All

SecurityComplianceCenterEventType

Indicates that the activity was a Security & Compliance Center event. All Security & Compliance Center activities will have a value of 0 for this property.

Office 365 Security & Compliance Center

SharingType

The type of sharing permissions that was assigned to the user that the resource was shared with. This user is identified in the UserSharedWith property.

SharePoint

Site

The GUID of the site where the file or folder accessed by the user is located.

SharePoint

SiteUrl

The URL of the site where the file or folder accessed by the user is located.

SharePoint

SourceFileExtension

The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a folder.

SharePoint

SourceFileName

The name of the file or folder accessed by the user.

SharePoint

SourceRelativeUrl

The URL of the folder that contains the file accessed by the user. The combination of the values for the SiteURL, the SourceRelativeURL, and the SourceFileName properties is the same as the value for the ObjectID property, which is the full path name for the file accessed by the user.

SharePoint

Subject

The subject line of the message that was accessed.

Exchange (mailbox activity)

Target

The user that the action (identified in the Operation property) was performed on.

Azure Active Directory

UserAgent

Information about the user's browser. This information is provided by the browser.

SharePoint

UserDomain

Identity information about the tenant organization of the user (actor) who performed the action.

Azure Active Directory

UserID

The user who performed the action (specified in the Operation property) that resulted in the record being logged. Note that records for activity performed by system accounts (such as SHAREPOINT\system or NT AUTHORITY\SYSTEM) are also included in the audit log.

All

UserKey

An alternative ID for the user identified in the UserID property. For example, this property is populated with the passport unique ID (PUID) for events performed by users in SharePoint. This property also might specify the same value as the UserID property for events occurring in other services and events performed by system accounts.

All

UserSharedWith

The user that a resource was shared with. This property is included if the value for the Operation property is SharingSet. This user is also listed in the Shared with column in the report.

SharePoint

UserType

The type of user that performed the operation. The following values indicate the user type.

0      A regular user.

2      An administrator in your Office 365 organization.

3      A Microsoft datacenter administrator or datacenter system account.

4      A system account.

5      An application.

6      A service principal.

All

Version

Indicates the version number of the activity (identified by the Operation property) that's logged.

All

Workload

The Office 365 service where the activity occurred. The possible values for this property are:

SharePoint

OneDrive

Exchange

AzureActiveDirectory

DataCenterSecurity

Sway

SecurityComplianceCenter

PowerBI

Yammer

All

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×