Searching Events
Click to view navigation pane


Searching Events

Use the following search tokens to search in the Events tab under Monitor.

namename

Use quotes or backticks within values to help you find all events that have the specified name.

Search for events by specifying the name. Choose values from: UserLoggedIn, Update application, Set domain authentication, Set federation settings on domain, Update application - Certificates and secrets management, Update service Prinicpal, Add service principal credentials, Add app role assignment grant to user, Add app role assignment to service principal, Consent to application, UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed, FileAccessed, FileAccessedExtended

Example

Show events that have name as UserLoggedIn

name:"UserLoggedIn"

connector.typeconnector.type

Search for connectors by specifying the connector type. Choose value from: OFFICE365, GOOGLE WORKSPACE, SALESFORCE, DROPBOX, ZOOM, SLACK

Example

Show all connectors of the type OFFICE365

connector.type:OFFICE365

connector.nameconnector.name

Use a text value ##### to search all events having the specified connector name.

Example

Show results with name O365Connector1

connector.name:O365Connector1

categorycategory

Search for events based on the event category. Choose value from: Domain; Application, ServicePrincipal, SAMLToken, User, Powershell; Mailbox, WinRM, File

Example

Show all events of the category ServicePrincipal

category:"ServicePrincipal"

serviceTypeserviceType

Search for events based on the type of the service. Choose value from: AzureActiveDirectory, ExchangeOnline, OneDrive

Example

Show all events of the service type AzureActiveDirectory

serviceType:"AzureActiveDirectory"

actionDetail.resultactionDetail.result

Search for events based on the actionDetail.result. Choose value from: Success, Fail

Example

Show all events of the results Success

actionDetail.result:"Success"

actor.idactor.id

Search for events that have a specific actor ID.

Example

Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f

actor.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"

actor.emailactor.email

Search for events by specifying the actor's email addresses.

Example

Show all events attended by user having email address [email protected]

actor.email:"[email protected]"

actor.typeactor.type

Search for events based on the type of actor. Choose value from: User, ServicePrincipal, Application

Example

Show all events of the actor type User

actor.type:"User"

origin.iporigin.ip

Search for events that have a specific origin IP.

Example

Show all events that have origin IP 40.79.154.194

origin.ip:"40.79.154.194"

origin.userAgentorigin.userAgent

Search for events that have a specific origin user agents.

Example

Show all events that have origin user agents as EvoSTS

origin.userAgent:"EvoSTS"

actionDetail.modifiedResources.resourceIdactionDetail.modifiedResources.resourceId

Search for events that have a specific resource ID.

Example

Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196

actionDetail.modifiedResources.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"

actionDetail.modifiedResources.resourceNameactionDetail.modifiedResources.resourceName

Search for events that have a specific resource name.

Example

Show all events that have resource name as Microsoft Graph

actionDetail.modifiedResources.resourceName:"Microsoft Graph"

subCategorysubCategory

Filter the connectors by selecting a sub-category. Choose value from: User/Group, Application, Global, File/Link Operation

Example

Show all connectors of the sub-category Application

subCategory:Application

severityseverity

Filter the connectors by selecting a severity. Choose value from: High, Low, Medium

Example

Show all connectors of severity High

severity:High