Searching Events

name

Use quotes or backticks within values to help you find all events that have the specified name.

Search for events by specifying the name. Choose values from: UserLoggedIn, Update application, Set domain authentication, Set federation settings on domain, Update application - Certificates and secrets management, Update service Prinicpal, Add service principal credentials, Add app role assignment grant to user, Add app role assignment to service principal, Consent to application, UserLoggedIn/UserLoginFailed, MailboxLogin, MailItemAccessed, FileAccessed, FileAccessedExtended

Example

Show events that have name as UserLoggedIn

name:"UserLoggedIn"

connector.type

Search for connectors by specifying the connector type. Choose value from: OFFICE365, GOOGLE WORKSPACE, SALESFORCE, DROPBOX, ZOOM, SLACK

Example

Show all connectors of the type OFFICE365

connector.type:OFFICE365

connector.name

Use a text value ##### to search all events having the specified connector name.

Example

Show results with name O365Connector1

connector.name:O365Connector1

Search for events based on the event category. Choose value from: Domain; Application, ServicePrincipal, SAMLToken, User, Powershell; Mailbox, WinRM, File

Example

Show all events of the category ServicePrincipal

category:"ServicePrincipal"

serviceType

Search for events based on the type of the service. Choose value from: AzureActiveDirectory, ExchangeOnline, OneDrive

Example

Show all events of the service type AzureActiveDirectory

serviceType:"AzureActiveDirectory"

actionDetail.result

Search for events based on the actionDetail.result. Choose value from: Success, Fail

Example

Show all events of the results Success

actionDetail.result:"Success"

actor.id

Search for events that have a specific actor ID.

Example

Show all events that have actor ID 98e0c33e-7acc-46d3-82ba-dd313ef4434f

actor.id:"98e0c33e-7acc-46d3-82ba-dd313ef4434f"

actor.email

Search for events by specifying the actor's email addresses.

Example

Show all events attended by user having email address testprod@qualyssscmsdev.com

actor.email:"testprod@qualyssscmsdev.com"

actor.type

Search for events based on the type of actor. Choose value from: User, ServicePrincipal, Application

Example

Show all events of the actor type User

actor.type:"User"

origin.ip

Search for events that have a specific origin IP.

Example

Show all events that have origin IP 40.79.154.194

origin.ip:"40.79.154.194"

origin.userAgent

Search for events that have a specific origin user agents.

Example

Show all events that have origin user agents as EvoSTS

origin.userAgent:"EvoSTS"

actionDetail.modifiedResources.resourceId

Search for events that have a specific resource ID.

Example

Show all events that have resource ID as 05e394a6-3d79-483b-abf2-5f39c5787196

actionDetail.modifiedResources.resourceId:"05e394a6-3d79-483b-abf2-5f39c5787196"

actionDetail.modifiedResources.resourceName

Search for events that have a specific resource name.

Example

Show all events that have resource name as Microsoft Graph

actionDetail.modifiedResources.resourceName:"Microsoft Graph"

subCategory

Filter the connectors by selecting a sub-category. Choose value from: User/Group, Application, Global, File/Link Operation

Example

Show all connectors of the sub-category Application

subCategory:Application

severity

Filter the connectors by selecting a severity. Choose value from: High, Low, Medium

Example

Show all connectors of severity High

severity:High